SAML Single Sign On Setup Guides for SAML SSO Azure AD Current: Azure AD with Just-in-Time Provisioning Azure AD with Just-in-Time Provisioning GoalAfter completing this setup guide, you will have setup Azure AD with Just-in-Time Provisioning and your Atlassian product for the SAML SSO app. Additionally, you will enable the SSO redirection and test SSO. Azure AD only support transmitting group ids via SAML attributes, not the group names. This tutorial assumes that you manage your groups locally and not with Azure AD. If you like to manage groups via Azure AD and using JIT, you have to edit the manifest of the Azure enterprise application and create a transformation rule per group, which transforms the group id to a name. Please have a look at our KB for further information. PrerequisitesTo use the SAML SSO app with Azure AD, you need the following:An Azure AD subscriptionA (trial) subscription for the SAML SSO appAdmin access to your Atlassian productVideo Guide Step-by-Step Setup GuideInstall the SAML SSO App In your Atlassian product, open the in-product marketplace as described in the Atlassian documentation. Search for "resolution saml" and click "Install" for SAML Single Sign On (SSO) by resolution Reichert Network Solutions GmbH. After the installation is complete, click on Manage, then choose Configure. Now, you are on the Add-on / app configuration page and the first step of the setup wizard will appear. First Steps - Wizard After you clicked "Configure", the Wizard will be triggered. If not, or if you want to add another Identity Prover (IdP) to your existing configuration, click on "+ Add IdP". This guide assumes, that you there is no IdP configured.The Wizard greets you with information, click on "Add new IdP" to proceed. For the IdP Type, choose "Azure AD". You can also choose a name. Click on "Next" to continue. In the next step, you will configure Azure AD. Please keep this tab open or copy the information. Create and Configure an Azure Enterprise App for SAML SSO Adding an Enterprise Application for the SAML SSO AppNavigate to the Azure Portal. In the left panel, click Azure Active Directory.Again, in the left panel under Manage click Enterprise Applications.Now, click New Application to add a new Enterprise Application.We created presets in the gallery for the SAML SSO app. Search for "resolution gmbh" and choose the version which matches your Atlassian product, e.g. "SAML SSO for Jira by resolution GmbH" for Jira. For the rest of this tutorial, the screenshots will show the Jira version of the marketplace app, but the configuration is identical for the other gallery apps. In the next step, click Add to add a new enterprise application. You can also choose new name for it.Please wait until the Azure portal redirects you to the enterprise application you just created. This can take a couple of seconds. For the next steps, you will configure the enterprise application.Deactivate User Assignment RequiredIn the left panel, click Properties. In the new window, scroll down to User assignment required? and set the option to NO. Afterwards Save your configuration. When set to "YES", users and groups must be first added to the Enterprise application before users are able to use SSO. Configure the SSOIn the left panel under Manage, choose "Single sign-on".Click SAML for the Single Sign On method.Next, click the pen symbol in Basic SAML Configuration.Next, set the Identifier (Entity ID) and the Reply URL (Assertion Consumer Service URL). You can find both in the last window of the wizard.In general, the needed URL for both is: https://<base-url>/plugins/servlet/samlsso You need to substitute <base-url> with the base url of your Atlassian product instance. The gallery application already provides the needed URLs. You only have to substitute YOURJIRASERVERNAME with the URL of your Atlassian product instance and then click Save. "YOURJIRASERVERNAME" will be called differently depending on the gallery application, e.g. "YOURCONFLUENCESERVERNAME" for the Confluence version of the gallery application. Afterwards, scroll down to SAML Signing Certificate and copy the App Federation Metadata Url. The link will be used to configure the SAML SSO app.The configuration in Azure AD is now finished. In the next step, we will finish the configuration in the SAML SSO wizard. Finishing the Configuration - Wizard Now, you will paste the App Federation Metadata Url you have obtained before. Paste the App Federation Metadata Url in the "Metadata URL" textfield. You can also configure the plugin without the metadata XML URL. Please choose another option from the dropdown menu and proceed as the wizard guides you. Afterwards, click on "Import".Click on "Next" to continue. For User update, choose Update from SAML-Attributes.The window now expands. There are various options you can set. For this tutorial, new users should be created automatically when first accessing your Atlassian product instance, thus tick "Create New Users". You can also choose the directory for new users or to update non-SAML provisioned users, i.e. which are already present in your Atlassian product. By activating the option, they can also be updated via SAML attributes when they log in.Further, the "Full Name Attribute" and "Email Attribute" must be set. Set the first to http://schemas.microsoft.com/identity/claims/displayname and the second to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name If your eMail Addresses are different from the Login name, you should use the attribute http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress as the Email Attribute instead. However this only works for Users that are Mail enabled (Exchange Online) or have this Attribute sync'd into Azure AD via Directory Connect from Active Directory. If the attribute is empty, User creation will fail. Scroll down to the group settings.Depending on your Atlassian product, it is a good idea to set (default) user group(s) for new users, such as jira-software-users for Jira, confluence-users for Confluence or stash-users for Bitbucket. Without assigning new users to the product specific group, they are not able to use your Atlassian product. Also, feel free to activate any option which suits your needs. Testing SSOThe wizard also allows to test the Single Sign On. Just follow the steps to test if the login works as expected. Click on "Start test" to proceed.Copy the red marked link and open a new incognito/private tab or a different web browser. Then, paste the link and navigate to it. You will be now redirected to Azure AD's login page. Please log-in with you username and password. If everything worked fine, you will logged in into your Atlassian product. In the other tab/browser in which you were configuring the SAML SSO plugin, you can see also the "SUCCESS" status, if everything worked as expected. Click Next to proceed. SSO RedirectionAs a last step, you can set the Enable SSO Redirect option. If set, all users will be redirected to Single Sign On, thus they will be logged in via the IdP. Click on Save & Close to finish the configuration.