Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Get started Tell me more
Atlassian Community about banner
4,639,777
Community Members
 
Community Events
196
Community Groups

How can I configuration SAML in Keyclock to use atlassian cloud

Thanapon Srithundorn
Thanapon Srithundorn Aug 31, 2018

How can I  configuration SAML  SSO in Keyclock to use atlassian cloud?

I got document to configure here

https://confluence.atlassian.com/cloud/saml-single-sign-on-943953302.html

But Keycloak  unsupported and document not have details enough to setting.

please help guide and show configure example.

Answer
Watch
Like Danny H. likes this
6024 views

3 answers

2 accepted

2 votes
Answer accepted
Philip Colmer
Philip Colmer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
Jan 06, 2021

Start by creating a SAML client in Keycloak. Call it whatever you like because we'll be changing it later.

In the Keycloak client configuration, turn OFF "Client Signature Required" and click on "Save".

In Atlassian Access, you need to provide three values:

"Identity provider Entity ID" - this will be your server's URL followed by /auth/realms/<realm name>

"Identity provider SSO URL" - this will be your server's URL followed by /auth/realms/<realm name>/protocol/saml

"Public x509 certificate" - this can be obtained from Keycloak. On our server, I found in under Realm Settings - Keys, then clicking on the Certificate button.

With the values entered, Atlassian Access will give you two URIs - SP Entity ID and SP Assertion Consumer Service URL.

Edit the SAML client you created in Keycloak. Change the client ID to be the "SP Entity ID" value. Copy the "SP Assertion Consumer Service URL" and paste it into "Valid Redirect URIs" and "Base URL". Click "Save".

That should do it. Just remember that SSO only works for validated domains.

View More Comments
Andreas Krupp
Andreas Krupp Jan 22, 2021

Hey @Philip Colmer ,

I can confirm that your user Guide works!

Thx a lot for sharing!

Cheers & best,

Andreas

Like
Preston Lee
Preston Lee Oct 18, 2021

Excellent, it worked for me too! @Daniel , could you please correct the documentation? The older general instructions and screenshots are wrong.

Like Daniel likes this
Daniel
Daniel Oct 19, 2021

@Preston Lee i believe this message was not meant for me.

Like
Vipin
Vipin Feb 03, 2022

Hey @Andreas Krupp , @Philip Colmer & @Preston Lee

Thank you for experiment keycloak using SAML sso. Yes the information was quite helpful to reach the endpoint but still I am experiencing an issue. In my case Keycloak is acting as a Identity broker from my LDAP server. LDAP authentication works and reach at my atlassian cloud site but it fails with user not found error. Is this due to anything related to policy? If you want more info, I am happy to provide the details from my client and realm. 

thank you, 

vipin 

Like
Philip Colmer
Philip Colmer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
Feb 03, 2022

@Vipin It is important to understand that these steps are for authentication.

It is not (currently) possible to use Keycloak as a means of provisioning users in Atlassian Access. In other words, you either have to manually create users in Atlassian Access so that users can then authenticate, or you have to find another way of getting users created in AA.

Within the Atlassian Admin pages, click on "Directory" and you'll see Managed accounts, User provisioning, G Suite and Domains. If you are synchronising from LDAP to G Suite, you can use that mechanism to provision users. Otherwise, you'll need to click on "User provisioning" to set up automatic provisioning.

For our setup, we're using Okta to synchronise from LDAP and then auto-provision to Atlassian. It generally works well although it doesn't like LDAP accounts that don't have a first name.

If it isn't user provisioning, perhaps you can provide some more details about how you are setting up the users.

Philip

Like Ondrej Havel likes this
Vipin
Vipin Feb 03, 2022

Hi @Philip Colmer , 

 

Perfect, you got it right. Atlassian access didn't have access to the users and that denied the access to the Jira software. let me do a few more tests and update here! 

 

thanks a lot! 

Vipin 

Like
Reply
0 votes
Answer accepted
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Aug 31, 2018

Hi Thanapon,

We don't specifically support / test against Keycloak, so it's covered in the Unsupported identity providers section of our setup document. The details in that section apply in general to any SSO provider that supports SAML (which Keycloak does).

On the other side of the equation, you can follow Keycloak's own documentation for setting up a Client for Atlassian Access to use.

Cheers,
Daniel

Reply
1 vote
mmrvelj
mmrvelj Jul 17, 2023 • edited

I just want to confirm that I managed to configure SSO from Atlassian Access to Keycloak version 21.1.2. Keyclock changes UI quite often..

I mostly followed instructions here, but also needed to configure some things not explicitly mentioned here:

  • Enable "Sign documents" and "Sign assertions"
    • Set "SAML signature key name" to "KEY_ID"
  • This is mentioned, but I did not realize it first time: on client configuration under "Keys" tab -> disable "Client signature required"

I believe rest is mostly the same. 

 

Reply

Suggest an answer

Log in or Sign up to answer
Identity Manager
Atlassian Access
TAGS
AUG Leaders

Atlassian Community Events

See all events