Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


How can I configuration SAML in Keyclock to use atlassian cloud

How can I  configuration SAML  SSO in Keyclock to use atlassian cloud?

I got document to configure here

But Keycloak  unsupported and document not have details enough to setting.

please help guide and show configure example.

3 answers

2 accepted

4 votes
Answer accepted
Philip Colmer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Jan 06, 2021

Start by creating a SAML client in Keycloak. Call it whatever you like because we'll be changing it later.

In the Keycloak client configuration, turn OFF "Client Signature Required" and click on "Save".

In Atlassian Access, you need to provide three values:

"Identity provider Entity ID" - this will be your server's URL followed by /auth/realms/<realm name>

"Identity provider SSO URL" - this will be your server's URL followed by /auth/realms/<realm name>/protocol/saml

"Public x509 certificate" - this can be obtained from Keycloak. On our server, I found in under Realm Settings - Keys, then clicking on the Certificate button.

With the values entered, Atlassian Access will give you two URIs - SP Entity ID and SP Assertion Consumer Service URL.

Edit the SAML client you created in Keycloak. Change the client ID to be the "SP Entity ID" value. Copy the "SP Assertion Consumer Service URL" and paste it into "Valid Redirect URIs" and "Base URL". Click "Save".

That should do it. Just remember that SSO only works for validated domains.

Hey @Philip Colmer ,

I can confirm that your user Guide works!

Thx a lot for sharing!

Cheers & best,


Excellent, it worked for me too! @Daniel , could you please correct the documentation? The older general instructions and screenshots are wrong.

Like Daniel likes this

@Preston Lee i believe this message was not meant for me.

Hey @Andreas Krupp , @Philip Colmer & @Preston Lee

Thank you for experiment keycloak using SAML sso. Yes the information was quite helpful to reach the endpoint but still I am experiencing an issue. In my case Keycloak is acting as a Identity broker from my LDAP server. LDAP authentication works and reach at my atlassian cloud site but it fails with user not found error. Is this due to anything related to policy? If you want more info, I am happy to provide the details from my client and realm. 

thank you, 


Philip Colmer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Feb 03, 2022

@Vipin It is important to understand that these steps are for authentication.

It is not (currently) possible to use Keycloak as a means of provisioning users in Atlassian Access. In other words, you either have to manually create users in Atlassian Access so that users can then authenticate, or you have to find another way of getting users created in AA.

Within the Atlassian Admin pages, click on "Directory" and you'll see Managed accounts, User provisioning, G Suite and Domains. If you are synchronising from LDAP to G Suite, you can use that mechanism to provision users. Otherwise, you'll need to click on "User provisioning" to set up automatic provisioning.

For our setup, we're using Okta to synchronise from LDAP and then auto-provision to Atlassian. It generally works well although it doesn't like LDAP accounts that don't have a first name.

If it isn't user provisioning, perhaps you can provide some more details about how you are setting up the users.


Like Ondrej Havel likes this

Hi @Philip Colmer , 


Perfect, you got it right. Atlassian access didn't have access to the users and that denied the access to the Jira software. let me do a few more tests and update here! 


thanks a lot! 


0 votes
Answer accepted
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Aug 31, 2018

Hi Thanapon,

We don't specifically support / test against Keycloak, so it's covered in the Unsupported identity providers section of our setup document. The details in that section apply in general to any SSO provider that supports SAML (which Keycloak does).

On the other side of the equation, you can follow Keycloak's own documentation for setting up a Client for Atlassian Access to use.


I just want to confirm that I managed to configure SSO from Atlassian Access to Keycloak version 21.1.2. Keyclock changes UI quite often..

I mostly followed instructions here, but also needed to configure some things not explicitly mentioned here:

  • Enable "Sign documents" and "Sign assertions"
    • Set "SAML signature key name" to "KEY_ID"
  • This is mentioned, but I did not realize it first time: on client configuration under "Keys" tab -> disable "Client signature required"

I believe rest is mostly the same. 


Suggest an answer

Log in or Sign up to answer
AUG Leaders

Atlassian Community Events