How To: Atlassian Access - Configure SAML SSO Authentication

This guide will walk you through the process of configuring SAML/SSO authentication for your managed users in your Atlassian Cloud organization.

For your convenience, there is a video version of this guide at the bottom of this article this will show you how to follow these steps. Also, each of the headings are hyperlinked to the specific time interval in the companion video where that topic is covered.

Before you begin, there are some things you will need or assumptions I will be making about what you have access to as a part of this tutorial. If you don’t have the ability to change or update something that is included in this guide you will either need to find someone that has the ability to perform certain steps or can give you the access you need to perform those steps.

Prerequisites:

  • You are going to need to be an Atlassian Organization Administrator for you Atlassian Cloud Organization.

  • You are going to need to have a subscription to Atlassian Access.

  • You will need to have managed users as a part of your Atlassian Cloud Organization.

  • In order to modify managed users, you will need to have already verified your domain and claimed your domain accounts. (Follow this guide if you haven’t completed that step yet)

  • You are going to need to have a Third-party identity provider setup to the point where you have users and/or groups to be provisioned into your Atlassian Cloud instance.

Configuring SAML Single Sign-On with an Identity Provider

You may wish to also refer to the Atlassian Documentation for setting up SAML as there are guides for every supported identity provider and this guide will only be covering Microsoft Azure AD:

https://support.atlassian.com/security-and-access-policies/docs/configure-saml-single-sign-on-with-an-identity-provider/

In addition, I won’t be covering how to setup Azure AD that is outside the scope of this guide. This guide will cover the things you will need to know with Microsoft Azure that relate to setting up the integration between Azure AD and Atlassian Access.

Adding Atlassian Cloud app in Azure AD

  1. Start by logging into Azure: https://portal.azure.com/#home

  2. Then click on the “Azure Active Directory” tile on the home page.
    AzureADPortalScreen.JPG

  3. Next, click on “Enterprise Applications“ in the left hand menu, followed by “+ New application” from the top menu.
    AzureAD_NewApp.JPG

  4. “Atlassian Cloud“ should be in the featured applications list, but if it isn’t there use the search bar to find it. Once you have, click on the tile for it. Then, in the right hand popup menu click the create button (you can change the name if you want to, but I’d recommend leaving it at the default of “Atlassian Cloud”).
    AzureADAtlassianCloud.JPG

  5. It will take a couple of minutes to create the new application. Once it’s finished it will take you to the Atlassian Cloud application overview page. From here, we want to click on the “Get started“ link for “2. Set up single sign on“
    AzureAD_SetupSSO.JPG

Setting up single sign on settings

  1. On the next page select the “SAML“ tile.

  2. Click the “Edit“ button on the “Basic SAML Configuration“ section.

  3. Under Identifier (Entity ID), click the “Add identifier“ link, and add your Atlassian Cloud URL.
    AzureAD_SSOBasicSAMLConfig.JPG

  4. Click the default check mark next to your Atlassian Cloud URL then click on the “Save” button in the top corner of the page.

  5. Once you have successfully saved, you will need to go to your Atlassian Organization Admin page.

Adding SAML configuration to your Atlassian Organization

  1. Login to your Atlassian Organization Admin page, which you can do by going to https://admin.atlassian.com, then selecting the Organization you wish to manage.

  2. Next, you will want to navigate to the Security → SAML single sign-on menu options
    AtlassianAdmin_SAMLConfig.JPG

  3. Click the “Add SAML configuration“ button.
    AtlassianAdmin_AddSAMLConfig.JPG

  4. Go back to the Azure portal. Under the “SAML Signing Certificate“ section, click on the “download” link for the “Certificate (Base64)“. You will need to save this to your local computer. Note: On a Windows machine you may get a warning about this being an unsafe file, click on the “Keep“ button to ignore the warning.

  5. Open the certificate file (Atlassian Cloud.cer) in a text editor, and copy the entire contents of the file to the “Public x509 certificate“ field in your Atlassian Add SAML configuration page.
    AzureAD_SAMLValues.JPG

  6. Next, back in the Azure portal, under the “Setup Atlassian Cloud“ section, expand the “Configuration URLs“

  7. Copy the “Azure AD Identifier“ value to the “Identity provider Entity ID“ field in your Atlassian Add SAML configuration page.
    AtlassianAdmin_AzureADSAMLValues.JPG

  8. Copy the “Login URL“ field value (in the Azure Portal) to the “Identity provider SSO URL“ field in your Atlassian Add SAML configuration page.

  9. Then, click the “Save configuration“ button.

Copying Atlassian SAML configuration to Azure AD

  1. Next, copy the “SP Entity ID“ field value and go back to the Azure Portal.

  2. Click the “Edit“ button on the “Basic SAML Configuration“ section.

  3. Under Identifier (Entity ID), click the “Add identifier“ link, and paste the “SP Entity ID“ field value.
    AtlassianAdmin_SPConfigValues.JPG

  4. Click the default check mark next to the “SP Entity ID“ field value.

  5. Go back to the Atlassian Admin page and copy the “SP Assertion Consumer Service URL“ field value.

  6. In the same “Basic SAML Configuration” page, under the “Reply URL (Assertion Consumer Service URL)“ heading, click the “Add reply URL“ link.
    AzureAD_SPConfigValues.JPG

  7. Paste the value for the “SP Assertion Consumer Service URL” field, and click the default check mark next to it.

  8. Then click on the “Save” button in the top corner of the page.

Setting up a Security Policy to Enforce SSO

  1. Once you have successfully saved, you will need to go back to your Atlassian Organization Admin page.

  2. Next, you will want to navigate to the Security → Authentication policies menu options

  3. If you don’t already have a security policy with “Enforce single sign-on“ checked, click Add Policy (otherwise skip to #5 )

  4. In the popup, enter a name for the policy (use something that will make sense later like “Enforce SSO“), then click the “Add“ button.

  5. In the policy screen make sure to click the checkbox next to “Enforce single sign-on“. The, click the “Update“ button.

  6. Change to the “Members“ tab and click the “Add members“ button.

  7. In the popup, you can either add individual users (up to 20 at a time) or you can upload a *.csv file of email addressed (up to 1000 at a time), to add managed users to this policy.

  8. Once you are done adding members, click the “Add members“ button.

  9. Depending on how many users you added at once this could take a bit of time to update the policy. You will receive an email when the users have been successfully added to the policy.

6 comments

Olli Suokas June 20, 2022

Great guide but it seems like the Basic SAML configuration section has changed a bit after this guide has been posted online.

Now, if you try to add another Identifier (entity id), you get an error message saying that only one URL can exist or something like that.

So in the end, I only had "auth.atlassian.net/xxxxx" in it.

Like Monique vdB likes this
Monique vdB
Community Manager
Community Managers are Atlassian Team members who specifically run and moderate Atlassian communities. Feel free to say hello!
August 5, 2022

@Olli Suokas thanks for the report - the product team will make sure to get @Jimmy Seddon the latest and greatest info and we'll update the article! 👍

SURESH BABU
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
October 13, 2022

Hi Olli, you have to add the extension to the browser. Please add the same and you will have the SAML visibility in Azure AD.

Paulo Silva
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
September 25, 2023

Hi Support, i still cannot see the new documentation for SSO. Also, i have noticed Jira documentation for SSO is slightly different from the one from Microsoft: Tutorial: Microsoft Entra SSO integration with Atlassian Cloud - Microsoft Entra | Microsoft Learn

Please advise?

Kind Regards, Paulo

Like # people like this
System Administrator
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 4, 2024

Thank you!  Having spent ages trying to make sense of Atlassian's own documentation I finally found this.  I think you should be the one writing their help pages.

Haneena Fathima March 11, 2024

Hi, after adding the Authentication policy, is it required to Import users from Microsoft Azure Active Directory(IDP) for SAML single sign-on?

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events