Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

  • Global
  • Personal

Recognition

  • Give kudos
  • Received
  • Given

Leaderboard

  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

SAML add-ons for Jira/confluence and BitBucket (and Bamboo)

We need to get SAML (with G-suite) onboard asap and I am looking for the right plugins, that:

 

Covers at least Jira/confluence and BitBucket

Great if multiple assertions/idp's get be implemented

Some form of project control - eg. enable/disable for projects and groups.

 

I dont know much about SAML, but we have the company itself where I work and a customer that required 2FA. We are on Server versions

3 answers

Hi @B_ Normann P_ Nielsen ,

for Server your only option is to go with a 3rd party plugin.

There is quite a variety in the marketplace right now. If you search for SAML you get a good overview: https://marketplace.atlassian.com/search?query=saml

The Top 3 Products (which includes ours) are available across most if not all Atlassian Server Applications.

Our plugin is the most sold & installed one and works very well with GSuite. Actually we have a fairly unique feature set in conjunction with Gsuite, that most other plugins will not have.
We can synchronise your Users & Groups from GSuite in a regular interval, in a similar way that the Atlassian Applications can natively synchronise via LDAP. This goes way beyond the Just-in-Time Provisioning that most other plugins can do only (we can do that too, though).

We cover the range of Atlassian Products you like to have (Jira, Confluence, Bitbucket) & more and also support mulitple Identity Providers.


To the last part of your Question getting some fine grained control (projects/groups) where you can enable/disable SSO. That is more tricky just by the nature how SAML works.

Essentially we need to decide if a User should be sent to GSuite for authentication *before* we know who that User is. So you can't really base that decision on things like group membership/project roles etc.

We have some Ways how to deal with this, one is different IdP Selection methods which you can see demo'd in this YouTube Video: https://youtu.be/DoNir7eN87o

Furthermore than that, you can also define different URL Sets for which SSO is initiated and for which not, but that can be quite tricky.

For this requirement it may be worth to open a support case with us: https://resolution.de/go/support or book a Screenshare meeting with us via https://resolution.de/go/calendly to discuss the specifics for your situation.

Last but not least some of those links may be interesting for you:

Cheers,
Christian

P.S. Full disclosure, I work for resolution, a marketplace vendor.

Hi @B_ Normann P_ Nielsen

There are multiple SAML SSO APPs available in the Atlassian Marketplace to enable SAML SSO into JIRA, Confluence, Bitbucket, and Bamboo from GSuite.

Please take a look into the SAML APPs from miniOrange along with the step by step guide to configure the plugin with GSuite for SAML Single Sign-on.

JIRA SAML SSO APP: https://marketplace.atlassian.com/apps/1215430/jira-saml-single-sign-on-sso-jira-sso?hosting=datacenter&tab=overview

Step by step guide: https://plugins.miniorange.com/saml-single-sign-sso-jira-using-google-apps-g-suite-idp

 

Confluence SAML SSO APP: https://marketplace.atlassian.com/apps/1215542/single-sign-on-sso-confluence-saml?hosting=datacenter&tab=overview

Step by step guide: https://plugins.miniorange.com/saml-single-sign-sso-confluence-using-google-apps-g-suite-idp

 

Bitbucket SAML SSO APP: https://marketplace.atlassian.com/apps/1216482/single-sign-on-sso-bitbucket-saml?hosting=datacenter&tab=overview

Step by step guide: https://plugins.miniorange.com/saml-single-sign-sso-bitbucket-using-google-apps

 

Bamboo SAML SSO APP: https://marketplace.atlassian.com/apps/1216824/single-sign-on-sso-bamboo-saml?hosting=server&tab=overview

Step by step guide: https://plugins.miniorange.com/saml-single-sign-on-into-bamboo-using-google-apps

 

All the suggested plugins support multiple SAML IDPs as well.

 

Some form of project control - eg. enable/disable for projects and groups.

==> Could you please explain this use case little bit. As I know, Google does not send any user's group information in the SAML but this can be achieved by getting the user's groups information by API call and update the user in application accordingly.

 

I don't know much about SAML, but we have the company itself where I work and a customer that required 2FA. We are on Server versions

==> You can enable the GSuite '2FA on the top of the SAML SSO as well. So, whenever a user tries to access the application(for eg. JIRA), he will be redirected to GSuite where he needs to verify his credentials along with the 2FA and once verified by GSuite, he will be redirected back to the application(for eg. JIRA) and logged in.

 

Feel free to reach out to miniOrange support in case of any questions or need further assistance with the SSO configuration.

 

Thanks,

Lokesh

I work for the miniOrange. One of the top SSO vendor in the Atlassian Marketplace.

Hi @B_ Normann P_ Nielsen 

I would like to show our Kantega SSO Enterprise app for you. We support two step login where users are redirected to idps based on their domain or user directory. We will also soon support group based redirection here.

With two-step login, we simply ask for the username only in the first step (no password field shown in the login form). Then based on properties of this user, we are able to redirect the user to a particular Idp or ask for the jira password based on properties of the particular user. The figure below shows an example of how such two-step login looks like in practice.

Screenshot 2019-08-19 at 16.05.48.png

 

Another feature you should look for when considering SSO apps is their ability to remove login backdoors to the Atlassian applications when 2FA should be enforced. With our app, you can disable both traditional username/password logins completely as well as basic auth API request.

I am happy to give you a demo showing how you can optimize login and SSO experiences with GSuite. You can book such a demo directly here: https://kantega-sso.com/support/

Cheers,
Jon Espen
Kantega SSO


Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Posted in Confluence

What do you think is the most *delightful* Confluence feature? Comment for a prize!

- Create your own custom emoji 🔥 - "Shake for Feedback" on mobile 📱 - An endless supply of GIFs via GIPHY 🤩 Is there anything quite as nice as a pleasant surprise? Comment below with what...

462 views 24 9
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you