Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,367,520
Community Members
 
Community Events
168
Community Groups

Azure Active Directory SAML 2.0 Setup for Jira Align

Azure Active Directory is a popular SAML 2.0 service. The following is an example of how we have tested and configured Azure with Jira Align. Please review the following example and adjust as needed for your organization's security policies and practices. 

 

Azure

1. Sign into Azure and click on Azure Active Directory.

1.png

2. Select Enterprise Applications from Manage in the left column. 

2.png

3. Click on New application.

3.png

4. Select Non-gallery application.

4.png

5. Name the application something relevant to your organization and/or the application itself and click Add. In this case, we've named it JiraAlign.

Note: Any spaces in the name will cause issues with the Login URL later so it's best to just avoid them.

 

6. Under the Getting Started section, click on 1. Assign users and groups.

6.png

7. Click Add user and add Users and/or Groups as needed. You need at least one User to test SSO and you can go back and add more later if you want.

 

8. On the Add Assignment screen, you can select the users you want, click Select and Assign.

 

9. The user(s)/group(s) should show up on the Users and groups pane now.

9.png

10. Click on Single sign-on and SAML.

AzureAD_Step10.png

11. In Section 1: Basic SAML Configuration, edit the Identifier (Entity ID) and  Reply URL (Assertion Consumer Service URL) to both be the Jira Align instance:

https://instance.agilecraft.com or https://instance.jiraalign.com 

Click Save.

Alternatively, you can upload the metadata file by copying the Show Jira Align Saml 2.0 Service Provider metadata from Jira Align (Administrator > Platform > Security) and save as an XML file. 

12. In Section 3: SAML Signing Certificate, edit and change the Signing Option to Sign SAML response and assertion. Click Save.

12.png

13. Also, in Section 3: SAML Signing Certificate, click Download next to Federation Metadata XML to use in a later step.

14. Please note that Azure has made some recent changes surrounding Logout URL. Please use the provided URL below and also read through the "Sign Out URL" section at the end of this article. 

Logout URL: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

 

15. In the left hand menu under Manage, click Properties and copy the User Access URL for use in a later step. User Access URL will start with https://myapps.microsoft.com/signin. 

15.png

 

Jira Align

16. Sign into Jira Align and click Administration > Platform > Security.

16.png

17. Click Add SAML Provider. 

17.png

18. Paste in the SAML 2.0 Metadata from Azure (Step 13 from earlier).

19. Click Save & Close.

20. Set Enable SSO to Yes.

21. Click Save Settings.

 

Testing

22. Open up an incognito window in your browser and navigate to the User Access URL from Azure (Step 15 from earlier).

 


Additional Notes

  • The user account you are testing from Azure SAML 2.0 must be also configured on the Jira Align side.
  • User accounts on the Jira Align side can be created using the following methods:
    • API 1.0
    • Excel Import
    • Manually created
    • Users automatically integrated from Jira (the user must be assigned to an integrated issue)

 


Sign Out URL / Logout URL

 

 


Disable Manual Sign In

AzureAD_Step23.png

  • Once you are confident that there are no known issues with SSO, you can go back to Platform Settings from earlier and set Disable Manual Sign In to Yes. 

You'll need to open a ticket with Jira Align to regain access if you get locked out while Disable Manual Sign In is turned on. 

  • After you have set Disable Manual Sign In, you'll be able to fill out the following fields:
    • Sign In URL (use the URL from step 15)
    • Sign Out URL (use the URL from step 14)

If for some reason your Sign In or Sign Out URL contain encoded characters (Example: %20 for space), you'll need to replace that with the non-encoded equivalent.

 


Default Roles

To change the default roles assigned to new users, please navigate in Jira Align to Admin > Connectors > Jira Settings > Jira Setup. 

Scroll all the way to the bottom and review the Default System Role for New User(s) and Default Team Role for New User(s).

roles.png

Also please review this article for more specifics on System Roles vs Team Roles.

 

13 comments

Tim Keyes Atlassian Team Aug 06, 2020

Awesome article @James McCulley!

Great work!

Like James McCulley likes this

Hi, why have the image stores gone to imgur? Enterprise customers are going to have a problem going forward with community.atlassian.com if this is preferred image as enterprises (like mine) block imgur. Many thx

Tim Keyes Atlassian Team Aug 09, 2020

Hi Karalee,

Do you know of any image hosting sites that your network does not block?  

Thank you!
Tim

Hi Tim, I emailed you directly to chat further. 

Karalee,

I have made a change to where the images are hosted.  Can you confirm you can see them now?

Thanks!

James

I can @James McCulley, thanks! Are the other being pages updated as well or will they be updated on an ad-hoc basis? e.g. https://community.atlassian.com/t5/Jira-Align-articles/Domain-Migration-agilecraft-com-to-jiraalign-com-Impacts-on/ba-p/1451258 still has imgur. I can @ mention you/Tim if/when I find another?

Like # people like this
Tim Keyes Atlassian Team Aug 10, 2020

Hi Karalee,

I probably have about 12 articles with images hosted in Imigur.  I will move them over to hosting on the community's site over the next week or two.

Cheers!
Tim

Like # people like this

Hi @James McCulley a quick note to let you know that this article was so helpful for us today! Your note about the User Access URL was spot on - it didn't work so I piped up with your tip about no spaces when setting up... and it fixed it

Like # people like this
Heidi Hendry Atlassian Team Jan 04, 2022

Hi @James McCulley 
thank you for this article... very informative.
Is there a setting in here that needs to be set to support URL redirection?

So I share a JA URL with an end-user and then they click that link.
If URL redirection IS enabled, then that link will take them to the SSO login and then to the link.
If URL redirection IS NOT enabled, then that link will take them to the SSO login and then to their last logged-in screen.

thank you

Like James McCulley likes this

@Heidi Hendry Thank you and great question. From working with Azure Support over a number of hours, it was determined that Azure Active Directory doesn't support Jira Align's URL redirection functionality.

Like Heidi Hendry likes this

Hi @James McCulley 

Thank you very much for this article.

I just wanted to circle back one important addition that solved the sign-out problem that I was encountering so that others would have the solution readily available:

Implementing "14. In Section 4: Set up <name>, copy the Logout URL", I ran into the problem that both my Azure Login URL and Logout URL are identical. Therefore, the logout did not work properly. 

For step 14 to work, it required me within the Azure Basic SAML Configuration to add the logout url you have kindly provided:

https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

Screenshot 2022-07-18 at 19.23.38.png

Instead of the Logout URL from Azure, I obviously added your url as the sign-out URL in Jira Align under Platform Settings Security as well:

Screenshot 2022-07-18 at 19.27.41.png

Now, everything works.

Best wishes,

Helge

Like # people like this

Thanks for sharing this @Helge Heupel :) 

@Helge Heupel ,

Thanks for your detailed comment. In my testing, I have not had to add that configuration change on the Azure side. Can you tell me what behavior you were seeing before that change you made? 

Thanks,

James

Comment

Log in or Sign up to comment
TAGS

Atlassian Community Events