Below, you can find information to setup Keycloak with our SAML SSO app for Jira Server, Jira Data Center, Confluence Server, Confluence Data Center, Bitbucket Server, Bitbucket Data Center, and other Atlassian products.

If you need help or have questions, you can contact us via our help desk or book a free screen share session at https://resolution.de/go/calendly.

Step-by-Step Guides with SAML2

Based on the user provisioning model you need, pick one of the following step-by-step guides.
See a comparison of each model in the table at the page bottom.

Keycloak with User Sync
Setting up User synchronisation with Keycloak, as well as authentication via SAML
Keycloak with Just-In-Time Provisioning
Setting up authentication via SAML with Keycloak and using Just-in-Time Provisioning to create/update User Accounts during login.
Keycloak with Manual Provisioning
Setting up authentication via SAML with Keycloak for Users that already exist in the Atlassian Server or Data Center product.

Some important notes:

Step-by-Step Guides with OpenID Connect

Some important notes:

Which Step-by-Step Guide should you pick?

Depending on your Atlassian product, you can choose from different user provisioning models.

In general, with Keycloak we support the following ways for user provisioning:

Just in Time Provisioning allows to create and update users on-the-fly when they log in. See our detailed article for JIT.
For Manual User Management, the administrator has to create and update users on Okta and your Atlassian product by hand.
We do not recommend it. See our article for Manual User Management.

As of July 15th, 2019, Keycloak is supported by User Sync so that users can be periodically synced from it,
but also when they log in for the first time into your Atlassian Server or Data Center product. Read our detailed article for User Sync.

Usually we recommend User Sync for user provisioning, a documentation how to use it will be released very soon.

Model/Function

Admin Effort

Pro's and Con's

Just in Time Provisioning

Medium

Creates & Updates users based on information in the SAML Response during Login
Users are only created on their first Login.
Users & Groups are updated only during SAML authentication

Manual User Management

High

Here no sync between Keycloak and Atlassian application happens
Needs manual maintenance of two user bases (or is done via custom developments).

User Sync

Low

Uses Keycloak API to perform regular sync
Users and groups created & updated shortly after done in Keycloak
Users in Atlassian applications can be disabled as a result of a sync, saving licenses
Additional attributes can be written to Jira user properties

Step-by-Step Guides with SAML2

Step-by-Step Guides with OpenID Connect

Which Step-by-Step Guide should you pick?

SAML Single Sign-On is available for Atlassian Server & Atlassian Data Center products. Our Jira Data Center, Confluence Data Center, Bitbucket Data Center, Jira Server, Confluence Server, Bitbucket Server and other apps are all available on the Atlassian Marketplace.

SAML Single Sign-On is available for Atlassian Server & Atlassian Data Center products.

Our Jira Data Center, Confluence Data Center, Bitbucket Data Center, Jira Server, Confluence Server, Bitbucket Server and other apps are all available on the Atlassian Marketplace.