You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
How can I configuration SAML SSO in Keyclock to use atlassian cloud?
I got document to configure here
But Keycloak unsupported and document not have details enough to setting.
please help guide and show configure example.
Start by creating a SAML client in Keycloak. Call it whatever you like because we'll be changing it later.
In the Keycloak client configuration, turn OFF "Client Signature Required" and click on "Save".
In Atlassian Access, you need to provide three values:
"Identity provider Entity ID" - this will be your server's URL followed by /auth/realms/<realm name>
"Identity provider SSO URL" - this will be your server's URL followed by /auth/realms/<realm name>/protocol/saml
"Public x509 certificate" - this can be obtained from Keycloak. On our server, I found in under Realm Settings - Keys, then clicking on the Certificate button.
With the values entered, Atlassian Access will give you two URIs - SP Entity ID and SP Assertion Consumer Service URL.
Edit the SAML client you created in Keycloak. Change the client ID to be the "SP Entity ID" value. Copy the "SP Assertion Consumer Service URL" and paste it into "Valid Redirect URIs" and "Base URL". Click "Save".
That should do it. Just remember that SSO only works for validated domains.
Thank you for experiment keycloak using SAML sso. Yes the information was quite helpful to reach the endpoint but still I am experiencing an issue. In my case Keycloak is acting as a Identity broker from my LDAP server. LDAP authentication works and reach at my atlassian cloud site but it fails with user not found error. Is this due to anything related to policy? If you want more info, I am happy to provide the details from my client and realm.
@Vipin It is important to understand that these steps are for authentication.
It is not (currently) possible to use Keycloak as a means of provisioning users in Atlassian Access. In other words, you either have to manually create users in Atlassian Access so that users can then authenticate, or you have to find another way of getting users created in AA.
Within the Atlassian Admin pages, click on "Directory" and you'll see Managed accounts, User provisioning, G Suite and Domains. If you are synchronising from LDAP to G Suite, you can use that mechanism to provision users. Otherwise, you'll need to click on "User provisioning" to set up automatic provisioning.
For our setup, we're using Okta to synchronise from LDAP and then auto-provision to Atlassian. It generally works well although it doesn't like LDAP accounts that don't have a first name.
If it isn't user provisioning, perhaps you can provide some more details about how you are setting up the users.
We don't specifically support / test against Keycloak, so it's covered in the Unsupported identity providers section of our setup document. The details in that section apply in general to any SSO provider that supports SAML (which Keycloak does).
On the other side of the equation, you can follow Keycloak's own documentation for setting up a Client for Atlassian Access to use.
I just want to confirm that I managed to configure SSO from Atlassian Access to Keycloak version 21.1.2. Keyclock changes UI quite often..
I mostly followed instructions here, but also needed to configure some things not explicitly mentioned here:
I believe rest is mostly the same.