Goal

After completing this setup guide, you will have a setup for SalesForce as Identity Provider with Just-In-Time Provisioning and your Atlassian product for the SAML SSO app. Additionally, you will enable the SSO redirection and test SSO.


Prerequisites

To use the SAML SSO app with SalesForce, you need the following:

  • A SalesForce admin account
  • A (trial) subscription for the SAML SSO app
  • Admin access to your Atlassian product


Step-By-Step Setup Guide

Install The SAML SSO App

In your Atlassian product, open the in-product marketplace as described in the Atlassian documentation.
Search for "resolution saml" and click "Install" for SAML Single Sign On (SSO) by resolution Reichert Network Solutions GmbH



After the installation is complete, click on Manage, then choose Configure

Now, you are on the Add-on/app configuration page, and the first step of the setup wizard will appear.


First Steps - Wizard

After you click "Configure", the Wizard will be triggered. If not, or if you want to add another Identity Prover (IdP) to your existing configuration, click on "+ Add IdP". This guide assumes, that there is no IdP configured.
The Wizard greets you with information, click on "Add new IdP" to proceed.


For the IdP Type, choose "Salesforce.com". You can also choose a name. Click on "Next" to continue.


In the next step, you will configure SalesForce Identity Provider. Please keep this tab open or copy the information.


Configure SalesForce as IdP For SAML SSO

Creating A Domain

Navigate to My Domain page under the Company Settings section in the left panel.

For Step 1, write down your domain name, and click on Check Availability to validate that it's available. Then click on Register Domain.


You should see your domain name in Step 2, after which you should wait for the domain to be registered.


In Step 3, click on Deploy Domain button, which would take you to the final Step 4, having the domain deployed to users.


Configure The Identity Provider

Navigate to Identity Provider page under the Identity section in the left panel, and click on Enable Identity Provider button.


Configure The Service Provider / Connected App

After enabling the Identity Provider, you can click on "Service Providers are now created via Connected Apps. Click here." link on the same page to proceed.

Alternatively, navigate to the App Manager page under the User Interface section from the left panel, then click on New Connected App button on the top right.

Fill in the below details un the Basic Information section:

  • Connected App Name
  • API Name
  • Contact Email

Fill in the below details under the Web App Settings section:

  • Entity Id: use the URL from the plugin configuration wizard - https://<baseURL>/plugins/servlet/samlsso
  • ACS URL: use the URL from the plugin configuration wizard - https://<baseURL>/plugins/servlet/samlsso
  • Name ID Format: choose "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" from the dropdown list
  • Issuer: use your domain that you have created on SalesForce
  • IdP Certificate: choose your certificate

Then Save your settings.


Navigate to the App Manager page under the User Interface section from the left panel.

For the Connected App that you've just created, click on the arrow button on the right, and click on Manage.


Scroll down to the Profiles section, and click on Manage Profiles button to add the desired profiles that you need to give access through the Connected App.

Below is an example.

In the Custom Attributes section, click on New button, to add the user attributes mappings.

Add the following details:

  • Attribute key: firstName
  • Attribute value: $User.FirstName

Then click on the Save button.

Similarly, create two other new custom attributes for last name and e-mail, with the below details:

  • Attribute key: lastName
  • Attribute value: $User.LastName

And:

  • Attribute key: e-mail
  • Attribute value: $User.Email


Get IdP Metadata URL

Navigate to Identity Provider page under the Identity section in the left panel, and copy the link of the Salesforce Identity, since we are going to use it in the plugin configuration.

The configuration in SalesForce is now finished. In the next step, we will finish the configuration in the SAML SSO wizard.


Finishing The Configuration - Wizard

Now, paste the Salesforce Identity Metadata XML link that you have obtained before, in the Metadata URL field.

Click on Import, then Next.

Click on Next.

For the User Update Method, choose "Update from SAML-Attributes" from the dropdown list.

Tick the "Create New Users" checkbox, to create non-existing users in your Atlassian product.

Enter the following attributes:

  • Full Name Attribute: {firstName} {lastName}
  • Email Attribute: e-mail

Click on Save & Next button.


Testing SSO

The wizard also allows testing the Single Sign On. Just follow the steps to test if the login works as expected.

Click on "Start test" to proceed.

Copy the red marked link, and open a new incognito/private tab or a different web browser. Then, paste the link and navigate to it. 

You will now be redirected to SalesForce's login page. Please log-in with your username and password.

If everything works fine, you will be logged in into your Atlassian product. In the other tab/browser in which you were configuring the SAML SSO plugin, you can also see the "SUCCESS" status.

Click Next to proceed.


SSO Redirection

As a last step, you can set the Enable SSO Redirect option. If set, all users will be redirected to Single Sign On, thus they will be logged in via the IdP.

Click on Save & Close to finish the configuration.