SAML SSO Support?

Hello - We have an application that is the identity provider for a SAML solution. Can/will confluence be setup to be the service provider for a SAML setup?

I understand Crowds is the SSO solution for the different Atlassian products. Perhaps Crowds supports a general SAML request?

Thank you - Kyle

15 answers

1 accepted

7 votes

Answer accepted

Hello

This is also a hot topic for us and maybe for other customers too!?

Is there any out-of-box solution for SAML 2.0 support (in Confluence or Crowd) or do we have to implement a custom authenticator?

Thanks,
Roger

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hi Roger,

Quite a while since you asked that Question. Our sister company has just published a plugin on the Marketplace which implements SAML 2.0 for Jira & Conflence (tested with Microsoft ADFS).

They had to use an implementation of a custom authenticor to get this done. Before deciding to implement we obviously looked at the existing and found nothing sensible for us which worked well enough with both Confluence & Jira.

We've also been running it internally for the last couple of months flawless.

The plugin can be found https://marketplace.atlassian.com/plugins/com.resolution.atlasplugins.samlsso

If you tested it & consider purchasing, let me know as I can organize a 50% promo code.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

4 votes

I've previously integrated Confluence with SAML when I used Confluence as the identity provider for a SAML SSO plugin -- you can find out more details in the post "Concur Single Sign-On plugin for Confluence using SAML".

What you're after is really the converse of that. It could be achieved with a custom authenticator - perhaps in a manner similar to AppFusions' Google Apps Authenticator for Confluence. Here's my video demo showing the Google Apps authenticator in action.

Contact me direct if you wish to know any further details.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

2 votes

What is the app? AppFusions can help you.

We have a Google Apps Authenticator for Confluence, and I *think* it was with SAML that we did this.

I need to double check with engineering on this one.

ANyways, contact us if you would like to discuss.

Best,

Ellen

info@appfusions.com

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

2 votes

Hello,

Unfortunately the roadmap for Crowd, Jira and Confluence do not include support for SAML. It is an often requested feature that we are not going to include in our product line. https://jira.atlassian.com/browse/CWD-1822 is the feature request page where developers have commented on the issue. You can see that it has been resolved as "Won't Fix."

We have a number of experts that would be happy to help you with a custom solution. It appears as if there may already be a third party that is providing a SAML Identity Provider. Your best bet would be to contact them to see if their solution is right for your needs

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

I was surprised to read this. Why not?

Is SAML not an open standard and do you not believe this will prevent large enterprises from adopting your solution? I would think this is in your product lines best interests.

I'm not wild about the idea of working with another vendor to implement their custom SAML solution for your product. That would unnecessarily complicate upgrades and support. My expectation is for any vendor that expects to be taken seriously as an Enterprise solution to offer easy, well-tested ways to federate identity.

I am a current customer of Confluence but only with a 25-seat on premise license used within IT for technical documentation. I was considering Confluence for a much larger rollout firm wide but this basically ends that consideration. It is simply not practical for my IT Dept to manage thousands of accounts seperately.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Also, the Jira issue you are linking to goes a page that says the project was deleted.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Here is the link to the cwd project stating that we will not be implementing SAML.

https://jira.atlassian.com/browse/CWD-1822

If this is a necessary feature, please contact one of our experts who will be better able to assist with this.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

0 votes

Hi All,

Please check my article on this. It might help you as I have tried to provide a complete solution.

http://thetechrecipes.com/index.php/2016/08/11/saml-integration-with-jira-and-other-java-web-app/

Regards

Prakhar

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

0 votes

Hi All,

Please check my article on this. It might help you as I have tried to provide a complete solution.

http://thetechrecipes.com/index.php/2016/08/11/saml-integration-with-jira-and-other-java-web-app/

Regards

Prakhar

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

0 votes

Hi, any steps or link where i can find proper process to implement this.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

0 votes

Great to hear that it is working beautifully for you; As for Bamboo & Stash, one of you developers is looking into that at the moment - however their authentication system is different, so I'd be lying if I would give you any concrete timeline at the moment. But be assured that you are by far not the only one who has requested this, so it's high up on our list.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

0 votes

HI Christian Reichert, I have used SAML single sign on plugin for Trial versions JIRA as well as Confluence. It is working beautifully. The SAML idp that i used - SimpleSAMLPhp. I am eager to know when this plugin is going to support for Bamboo & Stash. It is kind of urgent to me. Apart from SAML SSO plugin, do we have any solution to achieve SAML 2.0 based SSO with atlassian products.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

0 votes

Hi Randall,

not sure if you wanna take my word for it - it is worth testing, if you are using an environment as above (Jira or Confluence and MSADFS). Setup

0 out of 0 just means no one has rated this yet - which is not too uncommon with Plugins published only about a month ago (most people are still using their eval licenses right now, a few even purchased outright).

Feedback from the people who are evaluating it at the moment, is generally it works. We actually got confirmation that it also works with a variety of other IdPs (other than ADFS). We are just pulling their configs together to document setup of other IdPs & a compatibility list).

Most of the conversation with the evaluators is actually around new feature request, most common is to support others of the Atlassian Applications (i.e. Bamboo, ...), which we are prioritizing based on their wishes.

I hope that gives you a bit more comfort, that it might be worth your time ...

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

0 votes

I'd like to get some feedback on anyone using this solution.
Maybe its too soon, but 0 out of 0 stars is not encouraging enough to give this a test.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

0 votes

Quite a while since you asked that Question. Our sister company has just published a plugin on the Marketplace which implements SAML 2.0 for Jira & Conflence (tested with Microsoft ADFS).

We've also been running it internally for the last couple of months flawless.

The plugin can be found https://marketplace.atlassian.com/plugins/com.resolution.atlasplugins.samlsso

If you tested it & consider purchasing, let me know as I can organize a 50% promo code.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

0 votes

Hi Yves,

thanks for your reply.

I will give it go.

Cheers.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

0 votes

Hello,

I have successfully configure OIOSAML with JIRA: https://svn.softwareborsen.dk/oiosaml.java/sp/trunk/docs/index.html

NameID is available from request.getRemoteUser() which is properly caught by the authenticator.

With a small patch in SPFilter, I have allowed REST and SOAP APIs and also the login screen even without SAML assertion available in session.

Hope this help

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hi Yves,

can you confirm which version of JIRA did you manage to configure with OIOSAML?

I am facing the same issue and is currently investigating your solution.

Cheers.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hello Jean,

I use OIOSAML.J 9918 http://digitaliser.dk/group/42063/resources because it has passed some kind of certification.

In a first release, I had to exclude a large set of paths in SPFilter code and add conditions if opensynphony authentication were used... and finally got troubles with many features like "Attach screenshot" for instance, Firefox got a corrupted jar file !

I have just deployed another implementation where SPFilter is invoked from Seraph Authenticator only (so no longer declared in web.xml), still with path exclusions for SOAP and REST API typically, and now I wait for users' feedback but I think it will be OK.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hello Martin, I want to configure SSO for JIRA using SAML2.0. Could you please provide more information?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

I propose you deploy this new plugin (not at all related to my own work done with OIOSAML) https://marketplace.atlassian.com/plugins/com.bitium.jira.SAML2PluginJira

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

0 votes

Hi,

We are also interested in using SAML and more specifically using ADFS for JIRA authentication.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Product Q&A

Community resources

Support

Top groups

Community resources

Support

Learn

Community resources

Support

Events

Community resources

Support

Get product advice from experts

Join a community group

Advance your career with learning paths

Earn badges and rewards

Connect and share ideas at events

SAML SSO Support?

15 answers

1 accepted

Suggest an answer

Was this helpful?

Thanks!

TAGS

Atlassian Community Events