Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,298,142
Community Members
 
Community Events
165
Community Groups

How To: Atlassian Access - Configure SAML SSO Authentication

This guide will walk you through the process of configuring SAML/SSO authentication for your managed users in your Atlassian Cloud organization.

For your convenience, there is a video version of this guide at the bottom of this article this will show you how to follow these steps. Also, each of the headings are hyperlinked to the specific time interval in the companion video where that topic is covered.

Before you begin, there are some things you will need or assumptions I will be making about what you have access to as a part of this tutorial. If you don’t have the ability to change or update something that is included in this guide you will either need to find someone that has the ability to perform certain steps or can give you the access you need to perform those steps.

Prerequisites:

  • You are going to need to be an Atlassian Organization Administrator for you Atlassian Cloud Organization.

  • You are going to need to have a subscription to Atlassian Access.

  • You will need to have managed users as a part of your Atlassian Cloud Organization.

  • In order to modify managed users, you will need to have already verified your domain and claimed your domain accounts. (Follow this guide if you haven’t completed that step yet)

  • You are going to need to have a Third-party identity provider setup to the point where you have users and/or groups to be provisioned into your Atlassian Cloud instance.

Configuring SAML Single Sign-On with an Identity Provider

You may wish to also refer to the Atlassian Documentation for setting up SAML as there are guides for every supported identity provider and this guide will only be covering Microsoft Azure AD:

https://support.atlassian.com/security-and-access-policies/docs/configure-saml-single-sign-on-with-an-identity-provider/

In addition, I won’t be covering how to setup Azure AD that is outside the scope of this guide. This guide will cover the things you will need to know with Microsoft Azure that relate to setting up the integration between Azure AD and Atlassian Access.

Adding Atlassian Cloud app in Azure AD

  1. Start by logging into Azure: https://portal.azure.com/#home

  2. Then click on the “Azure Active Directory” tile on the home page.
    AzureADPortalScreen.JPG

  3. Next, click on “Enterprise Applications“ in the left hand menu, followed by “+ New application” from the top menu.
    AzureAD_NewApp.JPG

  4. “Atlassian Cloud“ should be in the featured applications list, but if it isn’t there use the search bar to find it. Once you have, click on the tile for it. Then, in the right hand popup menu click the create button (you can change the name if you want to, but I’d recommend leaving it at the default of “Atlassian Cloud”).
    AzureADAtlassianCloud.JPG

  5. It will take a couple of minutes to create the new application. Once it’s finished it will take you to the Atlassian Cloud application overview page. From here, we want to click on the “Get started“ link for “2. Set up single sign on“
    AzureAD_SetupSSO.JPG

Setting up single sign on settings

  1. On the next page select the “SAML“ tile.

  2. Click the “Edit“ button on the “Basic SAML Configuration“ section.

  3. Under Identifier (Entity ID), click the “Add identifier“ link, and add your Atlassian Cloud URL.
    AzureAD_SSOBasicSAMLConfig.JPG

  4. Click the default check mark next to your Atlassian Cloud URL then click on the “Save” button in the top corner of the page.

  5. Once you have successfully saved, you will need to go to your Atlassian Organization Admin page.

Adding SAML configuration to your Atlassian Organization

  1. Login to your Atlassian Organization Admin page, which you can do by going to https://admin.atlassian.com, then selecting the Organization you wish to manage.

  2. Next, you will want to navigate to the Security → SAML single sign-on menu options
    AtlassianAdmin_SAMLConfig.JPG

  3. Click the “Add SAML configuration“ button.
    AtlassianAdmin_AddSAMLConfig.JPG

  4. Go back to the Azure portal. Under the “SAML Signing Certificate“ section, click on the “download” link for the “Certificate (Base64)“. You will need to save this to your local computer. Note: On a Windows machine you may get a warning about this being an unsafe file, click on the “Keep“ button to ignore the warning.

  5. Open the certificate file (Atlassian Cloud.cer) in a text editor, and copy the entire contents of the file to the “Public x509 certificate“ field in your Atlassian Add SAML configuration page.
    AzureAD_SAMLValues.JPG

  6. Next, back in the Azure portal, under the “Setup Atlassian Cloud“ section, expand the “Configuration URLs“

  7. Copy the “Azure AD Identifier“ value to the “Identity provider Entity ID“ field in your Atlassian Add SAML configuration page.
    AtlassianAdmin_AzureADSAMLValues.JPG

  8. Copy the “Login URL“ field value (in the Azure Portal) to the “Identity provider SSO URL“ field in your Atlassian Add SAML configuration page.

  9. Then, click the “Save configuration“ button.

Copying Atlassian SAML configuration to Azure AD

  1. Next, copy the “SP Entity ID“ field value and go back to the Azure Portal.

  2. Click the “Edit“ button on the “Basic SAML Configuration“ section.

  3. Under Identifier (Entity ID), click the “Add identifier“ link, and paste the “SP Entity ID“ field value.
    AtlassianAdmin_SPConfigValues.JPG

  4. Click the default check mark next to the “SP Entity ID“ field value.

  5. Go back to the Atlassian Admin page and copy the “SP Assertion Consumer Service URL“ field value.

  6. In the same “Basic SAML Configuration” page, under the “Reply URL (Assertion Consumer Service URL)“ heading, click the “Add reply URL“ link.
    AzureAD_SPConfigValues.JPG

  7. Paste the value for the “SP Assertion Consumer Service URL” field, and click the default check mark next to it.

  8. Then click on the “Save” button in the top corner of the page.

Setting up a Security Policy to Enforce SSO

  1. Once you have successfully saved, you will need to go back to your Atlassian Organization Admin page.

  2. Next, you will want to navigate to the Security → Authentication policies menu options

  3. If you don’t already have a security policy with “Enforce single sign-on“ checked, click Add Policy (otherwise skip to #5 )

  4. In the popup, enter a name for the policy (use something that will make sense later like “Enforce SSO“), then click the “Add“ button.

  5. In the policy screen make sure to click the checkbox next to “Enforce single sign-on“. The, click the “Update“ button.

  6. Change to the “Members“ tab and click the “Add members“ button.

  7. In the popup, you can either add individual users (up to 20 at a time) or you can upload a *.csv file of email addressed (up to 1000 at a time), to add managed users to this policy.

  8. Once you are done adding members, click the “Add members“ button.

  9. Depending on how many users you added at once this could take a bit of time to update the policy. You will receive an email when the users have been successfully added to the policy.

1 comment

Great guide but it seems like the Basic SAML configuration section has changed a bit after this guide has been posted online.

Now, if you try to add another Identifier (entity id), you get an error message saying that only one URL can exist or something like that.

So in the end, I only had "auth.atlassian.net/xxxxx" in it.

Comment

Log in or Sign up to comment
TAGS
Community showcase
Published in Atlassian Access

Atlassian Access Demo Q&A Recap

Hi Community! Thank you to all who joined our ongoing monthly Atlassian Access demo! We have an engaging group of attendees who asked many great questions. I’ll share a recap of frequently ask...

1,152 views 4 4
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you