Important Update Effective February 1, 2024!
Due to recent changes in Jira and Confluence, we've made the tough decision to discontinue the OpenID Connect (OIDC)/OAuth app and no longer provide new versions for the newest Jira/Confluence releases as of January 31, 2024.
This is due to some necessary components no longer shipping with Jira/Confluence, which would require some extensive rewrites of the OIDC App.
Important Update! This app will be discontinued soon!
Due to recent changes in Jira, which no longer ships with some components required for our Read Receipts app to run, we've made the tough decision to discontinue the app, as of Februar 5, 2025.
Important Update! This app will be discontinued soon!
We've made the tough business decision to discontinue the app, as of January 11, 2025.
Migrating/Cloning an Atlassian Server product with the SAML SSO add-on
General
If you were cloning/ migrating a Jira/ Confluence/ Bitbucket or Bamboo instance to a new server and the host/ base URL changed (e.g. Dev/ Prod/ Staging instance), please take care of the following things on the new instance:
- because the Base URL has changed, you need to ensure that the SAML SSO Entity ID (SAML Single Sign On Configuration -> Service Provider -> Service provider settings) contains the new one (https://<New-BaseURL>/plugins/servlet/samlsso).
Using the reset button beside it does that automatically for you. - if you either use the Signed Authentication Request or the Encryption functionality, a new certificate is required, because the certificate includes the old BaseURL information.
To create a new one, go to the SAML SingleSignOn Plugin Configuration -> Service Provider -> Signing and encryption -> click on the button Generate new Private Key and Certificate. - save the configuration
If you are using the cloned instance as a separate one, i.e. a dev or staging environment and you don't have a dedicated identity provider configuration yet, create a new one.
If you really moved the instance to a new server and changed the base URL in the process you need to adjust the existing identity provider configuration accordingly:
The easiest way is to update your identity provider via SAML SSO metadata provided via the https://<New-BaseURL>/plugins/servlet/samlsso/medata URL.
You can either use the URL or download the metadata first if your IdP doesn't have direct access to the new Atlassian instance.
If your identity provider doesn't support metadata imports, you need to update the following information manually:
- Identifier/ Entity ID = https://<New-BaseURL>/plugins/servlet/samlsso
- Assertion Consumer Service URL (ACS) (also called Sign On URL) = https://<New-BaseURL>/plugins/servlet/samlsso
- use the certificate that is shown in our app configuration: Service Provider -> Signing and encryption Service Provider Certificate
Update Microsoft AD FS Identity Provider Configuration
- Open the AD FS application on your AD FS server.
- Open your Relying Party Trusts.
- Open the Properties for the specific Relying Party Trust → Monitoring
- Update the Relying party's federation metadata URL (https://<New-BaseURL>/plugins/servlet/samlsso/medata)
- Click on Apply/OK to save the settings.
- Right-click on the Relying Party Trust -> Update from Federation Metadata. (If this fails, please check if have you defined the correct metadata URL one step above.
- Check if the Identifiers, Encryption and Signing sections have included the correct information.
- Click on Update.