SAML add-ons for Jira/confluence and BitBucket (and Bamboo)

Hi @B_ Normann P_ Nielsen 

I would like to show our Kantega SSO Enterprise app for you. We support two step login where users are redirected to idps based on their domain or user directory. We will also soon support group based redirection here.

With two-step login, we simply ask for the username only in the first step (no password field shown in the login form). Then based on properties of this user, we are able to redirect the user to a particular Idp or ask for the jira password based on properties of the particular user. The figure below shows an example of how such two-step login looks like in practice.

Another feature you should look for when considering SSO apps is their ability to remove login backdoors to the Atlassian applications when 2FA should be enforced. With our app, you can disable both traditional username/password logins completely as well as basic auth API request.

I am happy to give you a demo showing how you can optimize login and SSO experiences with GSuite. You can book such a demo directly here: https://kantega-sso.com/support/

Cheers,
Jon Espen
Kantega SSO

Hi @B_ Normann P_ Nielsen

There are multiple SAML SSO APPs available in the Atlassian Marketplace to enable SAML SSO into JIRA, Confluence, Bitbucket, and Bamboo from GSuite.

Please take a look into the SAML APPs from miniOrange along with the step by step guide to configure the plugin with GSuite for SAML Single Sign-on.

JIRA SAML SSO APP: https://marketplace.atlassian.com/apps/1215430/jira-saml-single-sign-on-sso-jira-sso?hosting=datacenter&tab=overview

Step by step guide: https://plugins.miniorange.com/saml-single-sign-sso-jira-using-google-apps-g-suite-idp

Confluence SAML SSO APP: https://marketplace.atlassian.com/apps/1215542/single-sign-on-sso-confluence-saml?hosting=datacenter&tab=overview

Step by step guide: https://plugins.miniorange.com/saml-single-sign-sso-confluence-using-google-apps-g-suite-idp

Bitbucket SAML SSO APP: https://marketplace.atlassian.com/apps/1216482/single-sign-on-sso-bitbucket-saml?hosting=datacenter&tab=overview

Step by step guide: https://plugins.miniorange.com/saml-single-sign-sso-bitbucket-using-google-apps

Bamboo SAML SSO APP: https://marketplace.atlassian.com/apps/1216824/single-sign-on-sso-bamboo-saml?hosting=server&tab=overview

Step by step guide: https://plugins.miniorange.com/saml-single-sign-on-into-bamboo-using-google-apps

All the suggested plugins support multiple SAML IDPs as well.

Some form of project control - eg. enable/disable for projects and groups.

==> Could you please explain this use case little bit. As I know, Google does not send any user's group information in the SAML but this can be achieved by getting the user's groups information by API call and update the user in application accordingly.

I don't know much about SAML, but we have the company itself where I work and a customer that required 2FA. We are on Server versions

==> You can enable the GSuite '2FA on the top of the SAML SSO as well. So, whenever a user tries to access the application(for eg. JIRA), he will be redirected to GSuite where he needs to verify his credentials along with the 2FA and once verified by GSuite, he will be redirected back to the application(for eg. JIRA) and logged in.

Feel free to reach out to miniOrange support in case of any questions or need further assistance with the SSO configuration.

Thanks,

Lokesh

I work for the miniOrange. One of the top SSO vendor in the Atlassian Marketplace.

Hi @B_ Normann P_ Nielsen ,

for Server your only option is to go with a 3rd party plugin.

There is quite a variety in the marketplace right now. If you search for SAML you get a good overview: https://marketplace.atlassian.com/search?query=saml

The Top 3 Products (which includes ours) are available across most if not all Atlassian Server Applications.

Our plugin is the most sold & installed one and works very well with GSuite. Actually we have a fairly unique feature set in conjunction with Gsuite, that most other plugins will not have.
We can synchronise your Users & Groups from GSuite in a regular interval, in a similar way that the Atlassian Applications can natively synchronise via LDAP. This goes way beyond the Just-in-Time Provisioning that most other plugins can do only (we can do that too, though).

We cover the range of Atlassian Products you like to have (Jira, Confluence, Bitbucket) & more and also support mulitple Identity Providers.

To the last part of your Question getting some fine grained control (projects/groups) where you can enable/disable SSO. That is more tricky just by the nature how SAML works.

Essentially we need to decide if a User should be sent to GSuite for authentication *before* we know who that User is. So you can't really base that decision on things like group membership/project roles etc.

We have some Ways how to deal with this, one is different IdP Selection methods which you can see demo'd in this YouTube Video: https://youtu.be/DoNir7eN87o

Furthermore than that, you can also define different URL Sets for which SSO is initiated and for which not, but that can be quite tricky.

For this requirement it may be worth to open a support case with us: https://resolution.de/go/support or book a Screenshare meeting with us via https://resolution.de/go/calendly to discuss the specifics for your situation.

Last but not least some of those links may be interesting for you:

• Our Step-by-Step Guide for GSuite
• Our add-ons on the Marketplace

Cheers,
Christian

P.S. Full disclosure, I work for resolution, a marketplace vendor.