Important Update Effective February 1, 2024!
Due to recent changes in Jira and Confluence, we've made the tough decision to discontinue the OpenID Connect (OIDC)/OAuth app and no longer provide new versions for the newest Jira/Confluence releases as of January 31, 2024.
This is due to some necessary components no longer shipping with Jira/Confluence, which would require some extensive rewrites of the OIDC App.
Important Update! This app will be discontinued soon!
Due to recent changes in Jira, which no longer ships with some components required for our Read Receipts app to run, we've made the tough decision to discontinue the app, as of Februar 5, 2025.
Important Update! This app will be discontinued soon!
We've made the tough business decision to discontinue the app, as of January 11, 2025.
OpenID Connect for Okta with User Sync
Goal
Connect and configure Okta and your Atlassian product to work with the SAML SSO app in combination with User Sync using the OpenID Connect protocol.
Prerequisites
To use the SAML SSO app with Okta, you need the following:
- an Okta subscription
- SAML SSO app which includes User Sync already
- admin access to your Atlassian product
Step-by-Step Setup Guide
Install the SAML SSO app
In your host instance, open the in-product marketplace as described in the Atlassian documentation.
Search for "resolution saml" and click Install for SAML Single Sign On (SSO) by resolution Reichert Network Solutions GmbH.
After the installation is complete, do not click on Manage yet. The first part of the configuration is User Sync related,
please read the next chapter. The configuration of the SAML SSO app will follow at a later step.
Configure Okta for User Sync
Log in to your Okta organization as a user with administrator privileges.
Any type of administrator role is fine. If you limit this administrator role to manage only specific groups,
only users in those groups are synced. API tokens have the same permissions as the user who creates them,
and if the user permissions change, the API token permissions will also change.
Okta Regular UI
- Click on API (2)
- Click on Tokens (3)
- Click on Create Token (4)
Okta Developer Console/ Classic UI
- Expand the Security node (1)
- Click on API (2)
- Click on Tokens (3)
- Click on Create Token (4)
Name and Create Token
- Name the token and create it
- copy its value (1), it will be only displayed once. Of course, you can create a new token if you lost the old one
Create User Sync Connector For Okta
Navigate to the administration console for Jira, Confluence, Bitbucket, or Bamboo and search for User Sync here:
Confluence: Confluence Administration/ General Configuration, search for USERS & SECURITY
Jira: User management tab
Bitbucket: Administration/ Accounts
Bamboo: Administration/ Security
Now it is time to configure User Sync in your Atlassian product. Click on Create Connector and select Okta:
Set a Name, insert your Okta Domain without protocol (HTTPS://), and paste the token value to the API Token field
To take full advantage of User Sync, click on the Sync Settings tab and Enable Scheduled Synchronization.
You can control the sync interval with the modal but also by editing the Cron expression.
Do not forget to save your configuration. Scroll down to the bottom of the page and press Save or Save and Return.
Configure the SAML SSO App
For the next steps, please go to Manage apps (or addons), choose SAML SSO and click Configure.
First Steps - Wizard
After you clicked "Configure", the Wizard will be triggered. If not, or if you want to add another Identity Prover (IdP) to your existing configuration, click on "+ Add IdP". This guide assumes, that there is no IdP configured.
The Wizard greets you with information, click on "Add new IdP" to proceed.
Select Okta for your identity provider and select OpenID Connect for the authentication protocol. Enter a unique name and click Next to continue.
Copy the callback url to your favourite text editor.
Next go to your Okta site.
Go to Applications and click Create App Integration.
For the Sign-in method choose OIDC - OpenID Connect and for the Application type choose Web Application. Afterwards continue by selecting Next.
On next page, set an App integration name and paste the callback url to the Sign-in redirect URIs. Additionally, you can delete the Sign-out redirect URI.
Scroll down to the Assignments section. Here you define who can use this Okta integration to login. E.g., you can allow all users to use it or you can restrict it to certain groups. Select what suits you the best way and click Save to continue.
On the next page, please copy the Client ID, Client secret and your Okta domain to a text editor of your choice. We will need those later again.
Next, enter your Okta domain from before and click the Import Metadata button.
You will see this message if the import was successful.
To finish the wizard, click Save and Close.
Next, scroll down to the User Creation and Update section. Choose Update with UserSync for the User Update Method.
Choose the connector you have created before and click Save.
Testing SSO
To test you configuration, go to the System & Support section of the app and scroll down to the Tracker List.
Click New Tracker. If you have more than one identity provider configured, you must choose which configuration should be used for the log in test.
Copy the test url and open the link an incognito web browser. If something goes wrong during the test, you can easily create a support ticket that includes this tracker by click Contact Support. Additionally, you can contact us by going to https://www.resolution.de/go/support or booking a free meeting via https://www.resolution.de/go/calendly.
Redirect to SSO
After a successful test, the next step is to configure the redirection. With the redirection setting, the app can automatically redirect users to log in via OpenID Connect.
Go change this setting, go to Redirection from the middle panel.
By checking Enable SSO Redirect, users will get redirected to the configured SSO provider for login. If you are running JSM, you find a second option below.
Click Save to finish the configuration
If Enable SSO Redirect is enabled, you can log in to your Atlassian application manually by browsing to the URL that matches your Atlassian application as listed below.
Use this URL, if you need to log in as a local user unknown to Okta or if there are any issues with Single Sign On.
- Jira: https://<baseurl>/login.jsp?nosso
- Confluence: https://<baseurl>/login.action?nosso
- Bitbucket: https://<baseurl>/login?nosso
- Bamboo 5: https://<baseurl>/userlogin!default.action?nosso
- Bamboo 6: https://<baseurl>/userlogin!doDefault.action?nosso
Read more about nosso here: https://wiki.resolution.de/doc/saml-sso/latest/jira/further-configuration/disable-password-login-with-nosso-parameter-v2-1-0