After completing this setup guide, you will set up Azure AD B2C and your Atlassian product for the SAML SSO app and also User Sync. Both apps are for Atlassian Server or Data Center products. Additionally, you will enable the SSO redirection and test SSO.

Prerequisites

To use the SAML SSO app with Azure AD B2C, you need the following:

  • An Azure AD subscription
  • An Azure AD B2C Tenant (please check this Microsoft article for more information)
  • A Custom Policy in Azure AD B2C (check this Microsoft article)
  • A (trial) subscription for the SAML SSO app for Atlassian Data Center or Server applications
  • Admin access to your Atlassian Data Center or Server product

Step-By-Step Setup Guide

Install the SAML SSO app for Atlassian Data Center / Server

In your Atlassian product, open the in-product marketplace as described in the Atlassian documentation.
Search for "resolution saml" and click "Install" for SAML Single Sign On (SSO) by resolution Reichert Network Solutions GmbH
.

After the installation is complete, click Manage Apps/Addons

Install SAML SSO App

Configure User Sync

  1. Sign in to http://portal.azure.com.
  2. Select the Directory + Subscription icon in the portal toolbar, and then select the directory that contains your Azure AD B2C tenant.
    Azure AD B2C Switch Directory

  3. In the Azure portal, search for and select Azure AD B2C.
    Azure AD B2C

  4. Select App registrations (Preview).
    Azure AD B2C App Registration
  5. Select New registration.
    Azure AD B2C App Registration New Registration (Preview)
  6. Enter a Name for the application.
  7. Select Accounts in any organizational directory or any identity provider.
  8. Under Permissions, select the Grant admin consent to openid and offline_access permissions checkbox.
  9. Click on Register to proceed. 
  10. Select API permissions in the left panel and then Add a permission.
    Azure AD B2C API Permissions
  11. Select Microsoft Graph.
    Microsoft Graph Azure AD B2C

  12. Choose Application permissions.
    Application permissions Azure AD B2c
  13. Expand Directory and tick Directory.Read.All. Afterward, click Add permissions to continue.
    Directory Read All

  14. Click on "Grand admin consent for..."
  15. It should look like this: 

  16. Click on Certificates & secrets in the left panel, and then click on New client secret.

  17. Enter a description for the secret and also set an expiry date. Click on Add to confirm.

  18. Your Client secret will be displayed only once, thus copy the secret's value. Of course, it is possible to create a new secret, if you lost your secret.

  19. Go to the overview page of the Azure AD B2C app. Copy the Application ID and the Directory (tenant ID)
    App Id and Directory ID
  20. Now, it is time to head over to your Atlassian applicationIn your Atlassian application, go to User Sync, click Add Connector and choose Azure AD.
  21. Insert the Application ID, Directory ID and the Application secret into the User Sync connector settings

  22. To take the full advantages of User Sync, you can enable the Scheduled Synchronization from the Sync Settings tab.

  23. Do not forget to save your configuration. Scroll down to the bottom of the page and hit "Save".

Configure SAML SSO

For the next steps, please go to Manage apps (or addons), choose SAML SSO and click Configure.

First Steps - Wizard

  1. After you click "Configure", the Wizard will be triggered. If not, or if you want to add another Identity Prover (IdP) to your existing configuration, click on "+ Add IdP". This guide assumes, that there is no IdP configured.
    The Wizard greets you with information, click on "Add new IdP" to proceed.
  2. For the IdP Type, choose "Azure AD". You can also choose a name. Click on "Next" to continue.
  3. In the next step, you will configure Azure AD B2C. Please keep this tab open or copy the information.

Configure a Custom Policy in Azure AD B2C

For Azure AD B2C, SAML only works via custom policy that you need to create yourself. You can refer to the following Microsoft document for more info about that: https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?msclkid=45673a56c60011ec8f8f44f115d63008&tabs=macos&pivots=b2c-custom-policy 

Finishing the Configuration - Wizard

  1. Paste the App Federation Metadata Url that was obtained before from your custom policy in Azure AD B2C


    add_metadata_url

  2. Click on "Import".
    import_metadata
  3. Click on "Next" to continue.

    next_continue_metadata
  4. For the User Update Method, choose Update with UserSync-Connector. If you additionally want to use the SAML attributes as sent by your identity provider, choose the corresponding option.
    User Update Method1
  5. For UserSync-Connector, choose the one you have created before. Then click on "Save & Next" to continue.


Testing SSO

The wizard also allows testing the Single Sign On. Just follow the steps to test if the login works as expected.

  1. Click on "Start test" to proceed.
    Test SSO
  2. Copy the blue marked link and open a new incognito/private tab or a different web browser. Then, paste the link and navigate to it.
    Start Testing SSO
  3. You will be now redirected to Azure AD's login page. Please log-in with your username and password. 
    If everything worked fine, you will be logged in to your Atlassian product. In the other tab/browser in which you were configuring the SAML SSO plugin, you can see also the "SUCCESS" status, if everything worked as expected.
    Click Next to proceed.
    SSO Test Results

SSO Redirection

As a last step, you can set the Enable SSO Redirect option. If set, all users will be redirected to Single Sign On, thus they will be logged in via the IdP.
Click on
Save & Close to finish the configuration.
Enable SSO Redirection