SAML Single Sign-OnSAML Single Sign-On
Try For Free

OpenID Connect for Okta with Just-In-Time Provisioning



Goal

After completing this setup guide, you will have setup Okta with Just-in-Time Provisioning and your Atlassian product for the SAML SSO for Atlassian Server or Data Center app. Additionally, you test SSO.


Prerequisites

To use the SAML SSO app for Atlassian Server or Data Center with Azure AD, you need the following:

  • An Okta subscription

  • A (trial) subscription for the SAML SSO app

  • Admin access to your Atlassian product


Step-by-Step Setup Guide


Install the SAML SSO App


In your Atlassian product, open the in-product marketplace as described in the Atlassian documentation.
Search for "resolution saml" and click "Install" for SAML Single Sign On (SSO) by resolution Reichert Network Solutions GmbH.


After the installation is complete, click Manage Apps/Addons



Install-25-loop.gif




Configure SAML SSO

For the next steps, please go to Manage apps (or addons), choose SAML SSO and click Configure.

First Steps - Wizard

After you clicked "Configure", the Wizard will be triggered. If not, or if you want to add another Identity Prover (IdP) to your existing configuration, click on "+ Add IdP". This guide assumes, that there is no IdP configured.
The Wizard greets you with information, click on "Add new IdP" to proceed.

welcome_wizard_add_newidp
welcome_wizard_add_newidp


Select Okta for your identity provider and select OpenID Connect for the authentication protocol. Enter a unique name and click Next to continue. 
1 name.png

Copy the callback url to your favourite text editor. 
2 servlet link.png


Next go to your Okta site.

Go to Applications and click Create App Integration.

1 create app.png


For the Sign-in method choose OIDC - OpenID Connect and for the Application type choose Web Application. Afterwards continue by selecting Next.
2 oidc.png

On next page, set an App integration name and paste the callback url to the Sign-in redirect URIs. Additionally, you can delete the Sign-out redirect URI.
3 name and callback.png

Scroll down to the Assignments section. Here you define who can use this Okta integration to login. E.g., you can allow all users to use it or you can restrict it to certain groups. Select what suits you the best way and click Save to continue.
4 assignments.png


On the next page, please copy the Client IDClient secret and your Okta domain to a text editor of your choice. We will need those later again.
5 cred.png


Next, enter your Okta domain from before and click the Import Metadata button.
2 okta domain.png

You will see this message if the import was successful.
5 success.png


To finish the wizard, click Save and Close.

Screenshot 2021-12-08 at 11.06.14.png


To Configure Just-In-Time provisioning, go to UserSync.


Click Create Connector and choose Just-In-Time.
1 create connector.png

On the next screen, you must either choose an existing directory or click the Create new empty directory... button.
2 directory.png

Next, go to the Provisioning Settings. In order for our app to create new users, you must map the UsernameFull Name and Email. Additionally, you may also want to assign users automatically on creation to groups. You can use Always Assign Users to Certain Groups for this.

3 mapping.png

For Azure AD, you need the following mappings. For this tutorial, we show how to map the username as an example.

Attribute

Value

Username

preferred_username

Full Name

name

E-Mail Address

preferred_username


Click Map on the Username row and enter upn as the attribute. If you need to transform the value, you can do this here. Click Apply to finish.
4 add mapping.png


After mapping all necessary attributes, your view should look like this:
Screenshot 2021-12-09 at 09.58.46.png

Click Save and Return to finish the configuration.


Next, we need to assign this connector in the OpenID Connect configuration. Go back to the SAML SSO configuration.

Scroll down to the User Creation and Update section. Choose Update with UserSync for the User Update Method.
1 user update method.png


Now, select the Just-In-Time connector that was created before and click Save to finish the configuration.

connector.png



Testing SSO

To test you configuration, go to the System & Support section of the app and scroll down to the Tracker List.

1 System & Support.png

Click New Tracker. If you have more than one identity provider configured, you must choose which configuration should be used for the log in test.
2 tracker.png

Copy the test url and open the link an incognito web browser. If something goes wrong during the test, you can easily create a support ticket that includes this tracker by click Contact Support. Additionally, you can contact us by going to https://www.resolution.de/go/support or booking a free meeting via https://www.resolution.de/go/calendly.

3 Test.png


Redirect to SSO


After a successful test, the next step is to configure the redirection. With the redirection setting, the app can automatically redirect users to log in via OpenID Connect.

Go change this setting, go to Redirection from the middle panel.

By checking Enable SSO Redirect, users will get redirected to the configured SSO provider for login. If you are running JSM, you find a second option below. 

Click Save to finish the configuration
Screenshot 2022-01-11 at 13.22.40.png

This site uses cookies to deliver its service & to analyse traffic. By browsing this site, you accept the privacy policy.

Our Wiki uses cookies

We want to give you the best possible experience on our website. For this we use technically required cookies and, if you agree, cookies for analysis and marketing purposes. You can find more information about the cookies in our Privacy Policy. By tapping ‘Accept All,’ you consent to the use of these methods by us and third parties.

Necessary
Always Active
Analytics
Advertisement
Other