You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
The Atlassian Community can help you and your team get more value out of Atlassian products and practices.
This guide will walk you through the process of configuring SAML/SSO authentication for your managed users in your Atlassian Cloud organization.
For your convenience, there is a video version of this guide at the bottom of this article this will show you how to follow these steps. Also, each of the headings are hyperlinked to the specific time interval in the companion video where that topic is covered.
Before you begin, there are some things you will need or assumptions I will be making about what you have access to as a part of this tutorial. If you don’t have the ability to change or update something that is included in this guide you will either need to find someone that has the ability to perform certain steps or can give you the access you need to perform those steps.
You are going to need to be an Atlassian Organization Administrator for you Atlassian Cloud Organization.
You are going to need to have a subscription to Atlassian Access.
You will need to have managed users as a part of your Atlassian Cloud Organization.
In order to modify managed users, you will need to have already verified your domain and claimed your domain accounts. (Follow this guide if you haven’t completed that step yet)
You are going to need to have a Third-party identity provider setup to the point where you have users and/or groups to be provisioned into your Atlassian Cloud instance.
You may wish to also refer to the Atlassian Documentation for setting up SAML as there are guides for every supported identity provider and this guide will only be covering Microsoft Azure AD:
In addition, I won’t be covering how to setup Azure AD that is outside the scope of this guide. This guide will cover the things you will need to know with Microsoft Azure that relate to setting up the integration between Azure AD and Atlassian Access.
Start by logging into Azure: https://portal.azure.com/#home
Then click on the “Azure Active Directory” tile on the home page.
Next, click on “Enterprise Applications“ in the left hand menu, followed by “+ New application” from the top menu.
“Atlassian Cloud“ should be in the featured applications list, but if it isn’t there use the search bar to find it. Once you have, click on the tile for it. Then, in the right hand popup menu click the create button (you can change the name if you want to, but I’d recommend leaving it at the default of “Atlassian Cloud”).
It will take a couple of minutes to create the new application. Once it’s finished it will take you to the Atlassian Cloud application overview page. From here, we want to click on the “Get started“ link for “2. Set up single sign on“
On the next page select the “SAML“ tile.
Click the “Edit“ button on the “Basic SAML Configuration“ section.
Under Identifier (Entity ID), click the “Add identifier“ link, and add your Atlassian Cloud URL.
Click the default check mark next to your Atlassian Cloud URL then click on the “Save” button in the top corner of the page.
Once you have successfully saved, you will need to go to your Atlassian Organization Admin page.
Login to your Atlassian Organization Admin page, which you can do by going to https://admin.atlassian.com, then selecting the Organization you wish to manage.
Next, you will want to navigate to the Security → SAML single sign-on menu options
Click the “Add SAML configuration“ button.
Go back to the Azure portal. Under the “SAML Signing Certificate“ section, click on the “download” link for the “Certificate (Base64)“. You will need to save this to your local computer. Note: On a Windows machine you may get a warning about this being an unsafe file, click on the “Keep“ button to ignore the warning.
Open the certificate file (Atlassian Cloud.cer) in a text editor, and copy the entire contents of the file to the “Public x509 certificate“ field in your Atlassian Add SAML configuration page.
Next, back in the Azure portal, under the “Setup Atlassian Cloud“ section, expand the “Configuration URLs“
Copy the “Azure AD Identifier“ value to the “Identity provider Entity ID“ field in your Atlassian Add SAML configuration page.
Copy the “Login URL“ field value (in the Azure Portal) to the “Identity provider SSO URL“ field in your Atlassian Add SAML configuration page.
Then, click the “Save configuration“ button.
Next, copy the “SP Entity ID“ field value and go back to the Azure Portal.
Click the “Edit“ button on the “Basic SAML Configuration“ section.
Under Identifier (Entity ID), click the “Add identifier“ link, and paste the “SP Entity ID“ field value.
Click the default check mark next to the “SP Entity ID“ field value.
Go back to the Atlassian Admin page and copy the “SP Assertion Consumer Service URL“ field value.
In the same “Basic SAML Configuration” page, under the “Reply URL (Assertion Consumer Service URL)“ heading, click the “Add reply URL“ link.
Paste the value for the “SP Assertion Consumer Service URL” field, and click the default check mark next to it.
Then click on the “Save” button in the top corner of the page.
Once you have successfully saved, you will need to go back to your Atlassian Organization Admin page.
Next, you will want to navigate to the Security → Authentication policies menu options
If you don’t already have a security policy with “Enforce single sign-on“ checked, click Add Policy (otherwise skip to #5 )
In the popup, enter a name for the policy (use something that will make sense later like “Enforce SSO“), then click the “Add“ button.
In the policy screen make sure to click the checkbox next to “Enforce single sign-on“. The, click the “Update“ button.
Change to the “Members“ tab and click the “Add members“ button.
In the popup, you can either add individual users (up to 20 at a time) or you can upload a *.csv file of email addressed (up to 1000 at a time), to add managed users to this policy.
Once you are done adding members, click the “Add members“ button.
Depending on how many users you added at once this could take a bit of time to update the policy. You will receive an email when the users have been successfully added to the policy.
Sr R&D Tools Administrator
Waterloo, Ontario, Canada
168 accepted answers