OpenID Connector for Microsoft Entra ID (formerly Azure AD) with Just-in-Time Provisioning

Goal

After completing this setup guide, you will have set up Microsoft Entra ID (formerly Azure AD) with Just-in-Time Provisioning and your Atlassian product for the SAML SSO for Atlassian Server or Data Center app. Additionally, you will enable the SSO redirection and test SSO.

Prerequisites

To use the SAML SSO app for Atlassian Server or Data Center with Microsoft Entra ID (formerly Azure AD), you need the following:

An Microsoft Entra ID (formerly Azure AD) subscription
A (trial) subscription for the SAML SSO app
Admin access to your Atlassian product

Step-by-Step Setup Guide

Install the SAML SSO App

In your Atlassian product, open the in-product marketplace as described in the Atlassian documentation.
Search for "resolution saml" and click "Install" for SAML Single Sign On (SSO) by resolution Reichert Network Solutions GmbH.

After the installation is complete, click Manage Apps/Addons.

Configure SAML SSO

For the next steps, please go to Manage apps (or addons), choose SAML SSO and click Configure.

First Steps - Wizard

After you clicked "Configure", the Wizard will be triggered. If not, or if you want to add another Identity Prover (IdP) to your existing configuration, click on "+ Add IdP". This guide assumes, that there is no IdP configured.
The Wizard greets you with information, click on "Add new IdP" to proceed.

welcome_wizard_add_newidp

Select Azure AD for your identity provider and select OpenID Connect for the authentication protocol. Enter a unique name and click Next to continue.

Copy the callback url to your favourite text editor.
2 servlet link.png

Next, go to https://portal.azure.com.

Then, click App registrations and click New registration.

1 add new app.png

Enter an app name and the copied oidc callback url into the Redirect URI.
2 app name and url.png

After the creation of the app, copy the Application (client) ID and the Directory (tennant) ID into a texteditor of your choice.
3 copy things.png

Next, go to Certificates & secrets and click New client secret.
4 create secret.png

Set the expiry to your needs (we recommend 24 months) and click Add.
5 secret validity.png

Copy the secret value (but not the id) to your editor.
6 copy secret.png

Next, go to Token configuration and click Add optional claim.
7 claims.png

For the Token type, use ID. For the claim select UPN. Click Add.
8 create clai.png

If Azure asks for the Microsoft Graph profile permission, please do so.
9 grant auth.png

If you have guest users in Azure AD who would also use SSO, then you would need to do the following:

Click on "..." for the upn claim, and click on Edit.

Then enable the Externally authenticated option, and click on Save.

Now, go back to your Atlassian application to finish the wizard.

Enter the Client ID and Client Secret from before.
3 client id.png

Next, enter the Azure tennant ID from before and click the Import Metadata button.

4 azure tennant.png

You will see this message if the import was successful.
5 success.png

To finish the wizard, click Save and Close.

To Configure Just-In-Time provisioning, go to UserSync.

Click Create Connector and choose Just-In-Time.
1 create connector.png

On the next screen, you must either select an existing directory or click the Create new empty directory... button.
2 directory.png

Next, go to the Provisioning Settings. In order for our app to create new users, you must map the Username, Full Name and Email. Additionally, you may also want to assign users automatically on creation to groups. You can use Always Assign Users to Certain Groups for this.

3 mapping.png

For Microsoft Entra ID (formerly Azure AD), you need the following mappings. For this tutorial, we show how to map the username as an example.

Attribute	Value
Username	upn
Full Name	name
E-Mail Address	upn

Click Map on the Username row and enter upn as the attribute. If you need to transform the value, you can do this here. Click Apply to finish.
4 add mapping.png

After mapping all necessary attributes, your view should look like this:
5 finish mapping.png

Click Save and Return to finish the configuration.

Next, we need to assign this connector in the OpenID Connect configuration. Go back to the SAML SSO configuration.

Scroll down to the User Creation and Update section. Choose Update with UserSync for the User Update Method.
1 user update method.png

Now, select the Just-In-Time connector that was created before and click Save to finish the configuration.

Testing SSO

To test you configuration, go to the System & Support section of the app and scroll down to the Tracker List.

1 System & Support.png

Click New Tracker. If you have more than one identity provider configured, you must choose which configuration should be used for the log in test.
2 tracker.png

Copy the test url and open the link an incognito web browser. If something goes wrong during the test, you can easily create a support ticket that includes this tracker by click Contact Support. Additionally, you can contact us by going to https://www.resolution.de/go/support or booking a free meeting via https://www.resolution.de/go/calendly.

3 Test.png

Redirect to SSO

After a successful test, the next step is to configure the redirection. With the redirection setting, the app can automatically redirect users to log in via OpenID Connect.

Go change this setting, go to Redirection from the middle panel.

By checking Enable SSO Redirect, users will get redirected to the configured SSO provider for login. If you are running JSM, you find a second option below.

Click Save to finish the configuration
Screenshot 2022-01-11 at 13.22.40.png