SAML Single Sign-OnSAML Single Sign-On
Try For Free

Keycloak with User Sync

Goal

Configure SAML Single Sign-On to work with Keycloak, using Just-in-Time provisioning to automatically create and update users during Single Sign On.

Prerequisites

  • Identity Provider Keycloak

  • Your Atlassian application must be accessible via HTTPS. (read more about it in the Atlassian documentation, i.e. for Jira or Confluence)

Step-by-Step Setup Guide

This setup guide describes how to complete the initial setup for SAML Single Sign On (SSO) Add-on with Keycloak,
applicable for Add-on version starting 3.1.0. If you need any further support, please feel free to contact us here

Install the SAML SSO app


In your Atlassian product, open the in-product marketplace as described in the Atlassian documentation.
Search for "resolution saml" and click "Install" for SAML Single Sign On (SSO) by resolution Reichert Network Solutions GmbH


After the installation is complete, click on Manage, then choose Configure

Now, you are on the Add-on / app configuration page and the first step of the setup wizard will appear.

install_saml_sso
install_saml_sso




Configure Keycloak for User Sync

Configuration in the Keycloak Web Console

Login to your Keycloak instance with administrator privileges and enter the Administration Console.


keycloak_admin_console
keycloak_admin_console


Select the realm of the users who should be synchronized and click on Clients in the left-hand navigation bar.


select_realm_clients
select_realm_clients


Click on the Create client button of the client view to register a new client for the User & Group Sync connector.


create_client
create_client


Provide a name for the Client ID and make sure that the Client type is OpenID Connect and click on Next.


create_client_general_settings
create_client_general_settings


In the Capability config tab, enable both the Client authentication and Authorization options, and have the other options as the following screenshot, then click on Next:


create_client_capability_config
create_client_capability_config


Keep the settings in the next tab as is, and click on Save.


create_client_login_settings
create_client_login_settings


The following assignment might not be required when registering a client in the master realm.


Switch to the Service account roles tab and click on the Assign role button.

assign_role_service_account_role
assign_role_service_account_role


Select "Filter by clients" and search for "manage-users" then click enter. Choose "realm-management / manage-users" and click on Assign.


create_client_realm_management
create_client_realm_management


The settings should look like the below now:


create_client_overview
create_client_overview


Go to the Credentials tab, and copy the Client secret. You may regenerate it at any time. 


create_client_credentials
create_client_credentials

Configuration in User & Group Sync Configuration page


In your Atlassian application, go to User Sync, click Create Connector, and select Keycloak.


new_us_connector
new_us_connector


Set a name, insert your Keycloak URL appending /auth at the end, and provide

  • realm name

  • client-id

  • secret

as per your Keycloak setup earlier. Use the Save and Test Connection button to check if User Sync can connect to Keycloak successfully.


connector_config
connector_config


If you want to limit the number of users you sync from Keycloak you can set this up in the Required Groups tab. If you want to sync all users from your realm, you can skip this configuration step. 


connector_required_groups
connector_required_groups


In the User Provisioning and Group Provisioning tab, you can change the attribute mapping for the user and define what groups should be assigned to users in case you don't need all groups from Keycloak. If you leave the settings unchanged, the standard user attributes are synced together with all the groups that have been assigned to the user. 


connector_provisioning_settings
connector_provisioning_settings


In the Sync Settings section, you can configure the Cleanup Behavior and the Scheduled Synchronization. The clean-up defines what should happen to the user when it is not returned by Keycloak any more. The default is deactivating the user. By configuring the Scheduled Synchronization, you can have the sync run periodically without manual interaction. When enabled, the sync runs daily at 2 am, but you can change this if you want. 


connector_cleanup
connector_cleanup


Please ensure that you Save your configuration. 


You are now ready to commence either a simulated or a full sync. By simulating the sync first you will be able to verify your configuration and see what changes User Sync would apply like what users will be added, modified, or not modified. With the full sync, User Sync will apply those changes. Both sync actions will run a full sync and will have the same sync duration. For more information on the sync simulation, please refer to Using the Simulated Sync Feature.


connector_sync_or_simulate
connector_sync_or_simulate


Additional Resources:



Configure SAML SSO app

Add new Identity Provider (IdP)

Click on Add new IdP to start the wizard.

image2019-3-20_10-43-34.png

Adding a new IdP can also be done outside the wizard in the app configuration section Identity Providers

image2019-3-12_9-35-57.png

Select Keycloak for the Identity Provider. For the Authentication Protocol keep SAML2.
You may also change the name and add a description. The name needs to be unique.
Click on Next.

Screenshot 2022-01-19 at 11.04.46.png

Retrieve SAML Metadata for Keycloak Client

The next step enables you to retrieve the information Keycloak needs to work with our SAML SSO app.
Right click on the link highlighted below and save the linked content, a file in xml format.

Click on Next and pause the SAML SSO app configuration for a moment.

image2019-5-27_21-22-30.png

Configure Keycloak for SSO

Head over to your Keycloak administration console 

welcomeToKeycloak.png


Select the realm, if you've more than one configured (this example is using the realm called zizo)

Select Clients and Import client 

import_client.png

and use Browse to open the xml file you've saved earlier, then click on Save

import_client_metadata.png

Leave the main settings untouched unless you know what to configure beyond standard configuration.

saml_capabilities.png

You may now continue with the SAML SSO app configuration.

Import Keycloak IdP Metadata into the SAML SSO for Atlassian Data Center app

You can choose from the following options in the Metadata Upload dropdown

  1. Help me generate a metadata URL

  2. I have a metadata URL

  3. I have a metadata XML file

  4. I want to past my metadata XML

  5. I don't have any metadata and want to enter the data manually


The preferred option is 2, using the metadata URL from Keycloak which will allow automatic updates of the metadata later.

You can construct the metadata URL yourself:

https://<your-keycloak-instance-name/auth/realms/<your-realm-in-lowercase>/protocol/saml/descriptor

Opening the URL should reveal an XML file with a first node called <EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Name="urn:keycloak">

In the Import SAML IdP Metadata screen of the wizard, select the following options and paste the URL:

image2019-5-29_11-29-50.png

Proceed with the next steps described below.

Configure remaining SAML SSO app settings 

User ID attribute and transformation

It's recommended to leave this option checked.
Click on Next.

image2019-3-20_11-0-22.png

User creation and update

This part of the configuration defines how users are provisioned in the Atlassian application, during Single Sign On with Keycloak.

  • select Update with UserSync-Connector as User Update Method

  • check the Reactivate inactive users checkbox, if you want

  • select the User Sync connector created earlier

Click Save & Next to proceed as this is all you'll need to do when using User Sync for user provisioning with SAML SSO.

image2019-9-5_16-18-53.png


Back to Top

Test configuration of SAML SSO app

As a last step you can test your settings which can be executed by clicking on the corresponding Start test button.

Copy the link displayed and paste it into a new incognito/ private browsing window, and execute a login against Keycloak,
using a user and password which is a member of your realm in Keycloak.

The status of the authentication process is permanently updated in the window.

image2019-5-29_11-34-46.png

If there is any error at this point you need help with, please refer to the troubleshooting guide, which will also help us, should you open a support ticket with us.
Of course the test window above will display a lot of information about the errors already, but requires some deeper knowledge of the SAML protocol.

Back to Top

Enable login redirection

The last step is to configure redirect options, which you should only do if the test before succeeded.
Selecting Enable SSO Redirect will ensure that users are getting redirected to be logged in via SAML,
instead via the login form as before the SSO setup.

The Override Logged Out URL Method can be left at the default option.
It will redirect users after log out to a default page where they can login again via username and password or SSO again.

image2019-5-29_11-53-17.png

Save & Close to complete the setup and close the wizard. You are now ready to use Keycloak with SAML SSO in your Atlassian application.

If Enable SSO Redirect is enabled, you can login to your Atlassian application manually by browsing to the URL that fits your Atlassian application as listed below.
Use this URL, if you need to login a local user unknown to the ADFS or if there are any issues with Single Sign On.

  • Jira: https://<baseurl>/login.jsp?nosso

  • Confluence: https://<baseurl>/login.action?nosso

  • Bitbucket: https://<baseurl>/login?nosso

Back to Top

This site uses cookies to deliver its service & to analyse traffic. By browsing this site, you accept the privacy policy.

Our Wiki uses cookies

We want to give you the best possible experience on our website. For this we use technically required cookies and, if you agree, cookies for analysis and marketing purposes. You can find more information about the cookies in our Privacy Policy. By tapping ‘Accept All,’ you consent to the use of these methods by us and third parties.

Necessary
Always Active
Analytics
Advertisement
Other