Important Update Effective February 1, 2024!
Due to recent changes in Jira and Confluence, we've made the tough decision to discontinue the OpenID Connect (OIDC)/OAuth app and no longer provide new versions for the newest Jira/Confluence releases as of January 31, 2024.
This is due to some necessary components no longer shipping with Jira/Confluence, which would require some extensive rewrites of the OIDC App.
Crowd Data Center with Manual Provisioning
Goal
Configure SAML Single Sign-On for Atlassian Data Center / Server to work with Crowd Data Center and manual provisioning.
Prerequisites
- Crowd Data Center
- Crowd version 3.4 or later
- Your Atlassian Data Center / Server application must be accessible via HTTPS. (read more about it in the Atlassian documentation, i.e., for Jira or Confluence)
Step-by-Step Setup Guide
Find below a detailed guide on how to complete the setup of the SAML Single Sign On app with Crowd and manual user provisioning,
meaning that users from Crowd have to exist in your Atlassian application already.
If you need any further support, please feel free to contact us here.
Install the SAML SSO app
In your Atlassian product, open the in-product marketplace as described in the Atlassian documentation.
Search for "resolution saml" and click "Install" for SAML Single Sign On (SSO) by resolution Reichert Network Solutions GmbH.
After the installation is complete, click on Manage, then choose Configure.
Now, you are on the Add-on / app configuration page and the first step of the setup wizard will appear.
Configure SAML SSO app
To start the wizard and to configure Crowd as your new identity provider, navigate to the administration console and search for SAML Single Sign On here:
Confluence: Confluence Administration/ General Configuration, search for USERS & SECURITY
Jira: User management tab
Bitbucket: Administration/ Accounts
Bamboo: Administration/ Security
Fisheye/ Crucible: Administration/ Security Settings
Click on it and the wizard start page will show.
Add new Identity Provider (IdP)
Click on Add new IdP to start the wizard.
Adding a new IdP can also be done without the wizard in the app configuration section Identity Providers/ Add new IdP
Select Atlassian Crowd CD as IdP Type.
We will change the name to Crowd, and if you want you could add a description. The name needs to be unique.
Click on Next.
Retrieve SAML Metadata for Crowd
Copy the Single sign-on URL from the screen, you'll need it in your Crowd configuration web console.
Click on Next and leave that next screen as it is for now, since we'll continue the setup in crowd.
Configure Crowd
Now it's time to head over to Atlassian Crowd. You will need to add a new application. Please follow the wizard.
To enable SSO 2.0 in Atlassian Crowd:
Select the application you just created and want to perform the SSO configuration for. Now, in the application settings, click the SSO tab and trigger the checkbox SSO Enabled. As next step, please download the SSO metadata provided by Crowd.
Import SAML IdP Metadata
It's time to resume configuration on the SAML SSO side. Click Select XML File and choose the metadata file you downloaded before. Then click Import and afterwards continue with Next.
User ID attribute and transformation
Now, you have the possibility to configure the user ID attribute and its transformation options. In our setup, the user ID is sent in the NameID attribute of the IdP in a format that matches the one in the Atlassian product. So we don’t need to change anything here (It's recommended to leave this option checked). Click on Next.
User creation and update
Under User Creation and Update, you can leave the setting No User Update and click Save & Next to proceed.
Basic IdP Settings
We will need to change the Login Binding from POST to REDIRECT. Save the setting.
Test configuration of SAML SSO app
The last step of the configuration wizard is a test that can be executed with the Start button.
Please remember that ...
- The user you are testing with needs to be assigned to the SSO app you've just created in Atlassian Crowd
- The user also needs to exist in your Atlassian application already
Copy the link displayed and paste it into a new incognito/ private browsing window, to execute a login with Atlassian Crowd.
The status of the authentication process is permanently updated in the window. If successful, you should click Next.
If there is any error at this point you need help with, please refer to the troubleshooting guide, which will also help us, should you open a support ticket with us.
Of course, the test window above will display a lot of information about the errors already.
Enable login redirection
The last step of adding Atlassian Crowd as your new IdP is to configure redirect options.
Selecting Enable SSO Redirect will ensure that users are getting redirected to be logged in via SAML,
instead of via the login form as before the SSO setup.
Complete the setup by clicking Save and Close
If Enable SSO Redirect is enabled, you can log in to your Atlassian application manually by browsing to the URL that matches your Atlassian application, as listed below.
Use this URL, if you need to log in as a local user unknown to Atlassian Crowd or if there are any issues with Single Sign-On.
- Jira: https://<baseurl>/login.jsp?nosso
- Confluence: https://<baseurl>/login.action?nosso
- Bitbucket: https://<baseurl>/login?nosso
- Bamboo 5: https://<baseurl>/userlogin!default.action?nosso
- Bamboo 6: https://<baseurl>/userlogin!doDefault.action?nosso
Read more about nosso here: https://wiki.resolution.de/doc/saml-sso/latest/jira/further-configuration/disable-password-login-with-nosso-parameter-v2-1-0