Goal

After completing this setup guide, you will have a setup for Azure AD B2C and your Atlassian product for the SAML SSO app with Just-in-Time provisioning using the OpenID Connect protocol, for Atlassian Server or Data Center products. Additionally, you will enable the SSO redirection and test SSO.

Prerequisites

To use the SAML SSO app with Azure AD B2C, you need the following:

  • An Azure AD subscription
  • An Azure AD B2C Tenant (please check this Microsoft article for more information)
  • A User Flow on Azure AD B2C (check this Microsoft article)
  • A (trial) subscription for the SAML SSO app for Atlassian Data Center or Server applications
  • Admin access to your Atlassian Data Center or Server product

Step-By-Step Setup Guide

Install the SAML SSO app for Atlassian Data Center / Server

In your Atlassian product, open the in-product marketplace as described in the Atlassian documentation.
Search for "resolution saml" and click "Install" for SAML Single Sign On (SSO) by resolution Reichert Network Solutions GmbH
.

After the installation is complete, click Manage Apps/Addons

Install SAML SSO App

Configure a Just-in-Time Connector via User Sync

  1. In User Sync, click on Create Connector, and select Just-in-Time
  2. Give it your preferred name
  3. Go to the Provisioning Settings. In order for our app to create new users, you must map the UsernameFull Name and E-Mail Address

  4. For Azure AD B2C, you need the following mappings. For this tutorial, we show how to map the username as an example 

    AttributeValue
    Usernameemails
    Full Namename
    E-Mail Addressemails
  5. Click Map on the Username row and enter emails as the attribute. Click Apply to finish

  6. After mapping all necessary attributes, your view should look like this:
  7. Go to the Other Settings tab, and you must either choose an existing directory or click the Create new empty directory... button
  8. Click Save and Return to finish the configuration

Configure SAML SSO

For the next steps, please go to Manage apps (or addons) in your Atlassian product, choose SAML SSO and click Configure.

First Steps - Wizard

  1. After you click "Configure", the Wizard will be triggered. If not, or if you want to add another Identity Prover (IdP) to your existing configuration, click on "+ Add IdP". This guide assumes, that there is no IdP configured.
    The wizard greets you with information, click on "Add new IdP" to proceed
  2. For the IdP Type, choose "Azure AD", and choose "OpenID Connect" for the Authentication Protocol. Give it a name. Click on "Next" to continue

  3. Copy the callback URL to your favourite text editor

  4. In the next steps, you will configure Azure AD B2C. Please keep this tab open to continue later.

Configure the App Registration for the SSO process

  1. Navigate to http://portal.azure.com
  2. Select the Directory + Subscription icon in the portal toolbar, and make sure you have selected the directory that contains your Azure AD B2C tenant
    Azure AD B2C Switch Directory

  3. In the Azure portal, search for and select Azure AD B2C
    Azure AD B2C

  4. Select App registrations
    Azure AD B2C App Registration
  5. Select New registration
    Azure AD B2C App Registration New Registration (Preview)
  6. Enter a Name for the application
  7. Select Accounts in any organizational directory or any identity provider
  8. For the Redirect URIs, select "Web" and enter the Callback URL that you've copied from the wizard earlier
  9. Under Permissions, select the Grant admin consent to openid and offline_access permissions checkbox
  10. Click on Register to proceed
  11. From Overview, copy the Application (client) ID and the Directory (tenant) ID to your favourite text editor
  12. Click on Endpoints, and copy the URL of Azure AD B2C OpenID Connect metadata document to your favourite text editor. Make sure to replace <policy-name> in that URL with your User Flow name (you must have a User Flow created - check this)
  13. Create a User Flow, if you don't have one already created (check this Microsoft article)
  14. In your User Flow, under the Application claims tab, make sure that at least the Display Name, the Email Addresses and the User's Object ID are selected. You can select other claims as well if you want, but those are the mandatory ones for the app
  15. Now, back to the wizard in your Atlassian product. Enter the Client ID and the Client Secret that you have copied from before
  16. For now, just enter the Tenant ID, but we will change that later, since the current wizard doesn't support the User Flow of Azure AD B2C, then click on Import Metadata
  17. You can enable the Single Logout if you want to, then click on Save and Close
  18. In the configuration, scroll down to the OpenID Connect Client Settings section, and click on Show Advanced Azure AD Settings
  19. Change the OpenID Connect Directory URL with the URL that you have copied earlier of Azure AD B2C OpenID Connect metadata document, then click on Import Metadata
  20. Scroll down to the User Creation and Update from UserSync-Connector section, and choose your connector that you have created earlier
  21. Scroll down to the How to search for user to login section, and click on Edit.
  22. Change the mapping to "emails", as follows.
  23. Click on Apply, then make sure to Save the SAML SSO configuration.

Testing SSO

  1. In the System & Support tab, scroll down to the Tracker List section, click on New Tracker and choose the IdP name that you have just configured


  2. Copy the tracker URL and open a new incognito/private window or a different web browser, then paste the link and navigate to it

  3. You will be now redirected to Azure AD B2C's login page. Please log-in with your username and password

  4. If everything worked fine, you will be logged in to your Atlassian product. In the other tab/browser in which you were configuring the SAML SSO plugin, you can see also the "LOGGED_IN" status, if everything worked as expected.

SSO Redirection

As a last step, you can enable the Enable SSO Redirect option. If set, all users will be redirected to Single Sign On, thus they will be logged in via the IdP.
Click on 
Save & Close to finish the configuration.