SAML Single Sign-OnSAML Single Sign-On
Try For Free

OpenAM

Below, you find information to setup OpenAM and our apps. If you our need help or have questions, you can contact us via our helpdesk or book a free screen share session at https://resolution.de/go/calendly.

Step-by-Step Guides

Based on your user provisioning model, pick one of the following step-by-step guides.

In most cases we recommend to use OpenAM with Just-In-Time Provisioning

  • (6.14.x) OpenAM with Just-In-Time Provisioning
    Setting up authentication via SAML with OpenAM and using Just-in-Time Provisioning to create/update User Accounts during login. OpenAM does not support to transmit groups via SAML attributes. Hence, groups must be managed locally in your Atlassian product.

  • (6.14.x) OpenAM with Manual Provisioning
    Setting up authentication via SAML with OpenAM for Users that already exist in the Atlassian product.


Some important notes:


Which Step-by-Step Guide you should pick?

Depending on your Atlassian product, you can choose from different user provisioning models. We recommend using User Sync, since it is easy to setup and maintain


In general, with OpenAM we support the following ways for user provisioning:

  1. Just in Time Provisioning allows to create and update users on-the-fly when they log in. It is not possible to send groups via SAML for OpenAM. Thus, groups must be managed locally. See our detailed article for JIT.

  2. LDAP synchronisation from Active Directory. Is you instance still synchronised to your Active Directory via LDAP, you can continue to do so. Please follow the "Manual User Management" Guide in this scenario.

  3. For Manual User Management, the administrator has to has to create and update users on OpenAM and your Atlassian product by hand. We do not recommend it. See our article for Manuel User Management.


Model/Function

Admin Effort

Pro's and Con's

Just in Time Provisioning

Medium,

need to manage groups locally on your product instance

  • Creates & Updates users based on information in the SAML Response during Login

  • OpenAM does NOT support transmitting groups.

  • Users are only created on their first Login.

  • Users are updated only during SAML authentication.

  • Users cannot be marked disabled (as OpenAM will not complete the Authentication for a deleted/disabled User)




Manual User Management

High

  • Here no sync happens

  • Needs manual maintenance of 2 User bases (or is done via custom developments).


You might also find following documentation helpful:


Frequently Asked Questions
Basics
Licensing and Pricing
Technical



Further Configuration
Update existing User and Remove from Groups
Create or update users through SAML Attributes
Confluence Data Center
Single Sign On for JIRA Issue Collector
Request signing and response encryption
Crowd with remote directories
SAML2 Single Logout (SLO)
Disable password login with nosso-parameter
Organization Assignment
Import aggregated SAML metadata
Alternate AssertionConsumerServiceURL in SAML-Request
Transformations
Deny Password Authentication
Use Fisheye/Crucible with POST binding
Transformations with Groovy
Send the SAML Request to a different URL, e.g. to preselect the hosted domain in Google Cloud Identity
Advanced Attribute Mapping
Single Sign on for JIRA Service Management (JSM)



Troubleshooting
Clear the configuration
Create HAR dump of the login process
Enable detailed logging
SAML SSO Toolbox
Test IdP
Troubleshooting Delays in the Authentication Progress
User Browser