Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,466,911
Community Members
 
Community Events
176
Community Groups

How can I configuration SAML in Keyclock to use atlassian cloud

How can I  configuration SAML  SSO in Keyclock to use atlassian cloud?

I got document to configure here

https://confluence.atlassian.com/cloud/saml-single-sign-on-943953302.html

But Keycloak  unsupported and document not have details enough to setting.

please help guide and show configure example.

2 answers

2 accepted

2 votes
Answer accepted

Start by creating a SAML client in Keycloak. Call it whatever you like because we'll be changing it later.

In the Keycloak client configuration, turn OFF "Client Signature Required" and click on "Save".

In Atlassian Access, you need to provide three values:

"Identity provider Entity ID" - this will be your server's URL followed by /auth/realms/<realm name>

"Identity provider SSO URL" - this will be your server's URL followed by /auth/realms/<realm name>/protocol/saml

"Public x509 certificate" - this can be obtained from Keycloak. On our server, I found in under Realm Settings - Keys, then clicking on the Certificate button.

With the values entered, Atlassian Access will give you two URIs - SP Entity ID and SP Assertion Consumer Service URL.

Edit the SAML client you created in Keycloak. Change the client ID to be the "SP Entity ID" value. Copy the "SP Assertion Consumer Service URL" and paste it into "Valid Redirect URIs" and "Base URL". Click "Save".

That should do it. Just remember that SSO only works for validated domains.

Hey @Philip Colmer ,

I can confirm that your user Guide works!

Thx a lot for sharing!

Cheers & best,

Andreas

Excellent, it worked for me too! @Daniel , could you please correct the documentation? The older general instructions and screenshots are wrong.

Like Daniel likes this

@Preston Lee i believe this message was not meant for me.

Hey @Andreas Krupp , @Philip Colmer & @Preston Lee

Thank you for experiment keycloak using SAML sso. Yes the information was quite helpful to reach the endpoint but still I am experiencing an issue. In my case Keycloak is acting as a Identity broker from my LDAP server. LDAP authentication works and reach at my atlassian cloud site but it fails with user not found error. Is this due to anything related to policy? If you want more info, I am happy to provide the details from my client and realm. 

thank you, 

vipin 

@Vipin It is important to understand that these steps are for authentication.

It is not (currently) possible to use Keycloak as a means of provisioning users in Atlassian Access. In other words, you either have to manually create users in Atlassian Access so that users can then authenticate, or you have to find another way of getting users created in AA.

Within the Atlassian Admin pages, click on "Directory" and you'll see Managed accounts, User provisioning, G Suite and Domains. If you are synchronising from LDAP to G Suite, you can use that mechanism to provision users. Otherwise, you'll need to click on "User provisioning" to set up automatic provisioning.

For our setup, we're using Okta to synchronise from LDAP and then auto-provision to Atlassian. It generally works well although it doesn't like LDAP accounts that don't have a first name.

If it isn't user provisioning, perhaps you can provide some more details about how you are setting up the users.

Philip

Like Ondrej Havel likes this

Hi @Philip Colmer , 

 

Perfect, you got it right. Atlassian access didn't have access to the users and that denied the access to the Jira software. let me do a few more tests and update here! 

 

thanks a lot! 

Vipin 

0 votes
Answer accepted
Daniel Eads Atlassian Team Aug 31, 2018

Hi Thanapon,

We don't specifically support / test against Keycloak, so it's covered in the Unsupported identity providers section of our setup document. The details in that section apply in general to any SSO provider that supports SAML (which Keycloak does).

On the other side of the equation, you can follow Keycloak's own documentation for setting up a Client for Atlassian Access to use.

Cheers,
Daniel

Suggest an answer

Log in or Sign up to answer
TAGS

Atlassian Community Events