SAML Single Sign-OnSAML Single Sign-On
Try For Free

OpenID Connector for Google Cloud Identity with Just-In-Time Provisioning


Goal

After completing this setup guide, you will have setup GSuite AD with Just-In-Time Provisioning and your Atlassian product for the SAML SSO app. Additionally, you will test SSO and enable the SSO redirection.



Prerequisites

To use the SAML SSO app with GSuite, you need the following:

  • A GSuite subscription

  • A (trial) subscription for the SAML SSO app

  • Admin access to your Atlassian product

  • You mange your groups locally on your Atlassian product

Step-by-Step Setup Guide


Install the SAML SSO App


In your Atlassian product, open the in-product marketplace as described in the Atlassian documentation.
Search for "resolution saml" and click "Install" for SAML Single Sign On (SSO) by resolution Reichert Network Solutions GmbH.


After the installation is complete, click Manage Apps/Addons



Install-25-loop.gif




Configure SAML SSO

For the next steps, please go to Manage apps (or addons), choose SAML SSO and click Configure.

First Steps - Wizard

After you clicked "Configure", the Wizard will be triggered. If not, or if you want to add another Identity Prover (IdP) to your existing configuration, click on "+ Add IdP". This guide assumes, that there is no IdP configured.
The Wizard greets you with information, click on "Add new IdP" to proceed.

welcome_wizard_add_newidp
welcome_wizard_add_newidp


Select Google Cloud Identity for your identity provider and select OpenID Connect for the authentication protocol. Enter a unique name and click Next to continue. 
1 type.png


Copy the callback url to your favourite text editor. 
2 servlet link.png


Go to https://console.cloud.google.com and login as an administrator.


Click the name of the current loaded project.

1 projects.png

Click NEW PROJECT.

2 create new project.png

Enter a Project name and adjust the Organzization or Location options if needed.

3 project name.png

Creating the project can take some seconds. When done, a notification popup will appear. Click SELECT PROJECT to switch to the just created project.
4 go to project.png

Now, we need to configure credentials and the consent screen. Click Credentials.
5 go to credetntials.png

Click CONFIGURE CONSENT SCREEN

6 config consent.png

Select the User Type that is appropriate for your needs. Usually this will be Internal. Afterwards, click CREATE to continue.

6 consent type.png


On the next screen, fill out what's needed. Make sure to scroll down and add the Authorized domain(s). This is the domain of your Atlassian application, e.g. for bitbucket.resolution.de, the domain is resolution.de

Click SAVE AND CONTINUE.

7 consent domain.png


As a last step, Google will display an overview upon the consent screen that you must acknowledge. 

8 consent end.png


Next, go back to the Credentials

9 go to creds again.png


Click CREATE CREDENTIALS and choose OAuth client ID.

10 create creds.png


Choose Web Application for the Application Type.

11 creds type.png


You can enter a name for Web client, but you do not need to. Important is to add the callback URL to the Authorized redirect URIs. Then click CREATE.

12 callback url.png


Google will now display both Client ID and Client Secret. Copy both into a text editor of your choice because we need again soon.

13 client id secret.png


Back to the wizard in the Atlassian product, enter both the Client ID and the Client Secret that you've just created and copied, and click on Next.

image2022-1-11_9-15-17.png

Click Import Metadata.

import.png


You will see this message if the import was successful.
5 success.png


To finish the wizard, click Save and Close.

Screenshot 2021-12-08 at 11.06.14.png


To Configure Just-In-Time provisioning, go to UserSync.


Click Create Connector and choose Just-In-Time.
1 create connector.png

On the next screen, you must either choose an existing directory or click the Create new empty directory... button.
2 directory.png

Next, go to the Provisioning Settings. In order for our app to create new users, you must map the UsernameFull Name and Email. Additionally, you may also want to assign users automatically on creation to groups. You can use Always Assign Users to Certain Groups for this.

3 mapping.png

For Google Cloud, you need the following mappings. For this tutorial, we show how to map the username as an example.

Attribute

Value

Username

email

Full Name

name

E-Mail Address

email

Click Map on the Username row and enter upn as the attribute. If you need to transform the value, you can do this here. Click Apply to finish.
4 add mapping.png


After mapping all necessary attributes, your view should look like this:
Screenshot 2021-12-09 at 11.54.23.png



Click Save and Return to finish the configuration.


Next, we need to assign this connector in the OpenID Connect configuration. Go back to the SAML SSO configuration.

Scroll down to the User Creation and Update section. Choose Update with UserSync for the User Update Method.
Screenshot 2021-12-09 at 11.56.28.png


Now, select the Just-In-Time connector that was created before and click Save to finish the configuration.

Screenshot 2021-12-09 at 11.56.57.png



This site uses cookies to deliver its service & to analyse traffic. By browsing this site, you accept the privacy policy.

Our Wiki uses cookies

We want to give you the best possible experience on our website. For this we use technically required cookies and, if you agree, cookies for analysis and marketing purposes. You can find more information about the cookies in our Privacy Policy. By tapping ‘Accept All,’ you consent to the use of these methods by us and third parties.

Necessary
Always Active
Analytics
Advertisement
Other