Configure SAML 2.0 for Jira Align using PingOne

Ping One is a popular SAML 2.0 service. The following is an example of how we have tested and configured Azure with Jira Align. Please review the following example and adjust as needed for your organization's security policies and practices. 

 

Ping One

1.) Sign into Ping One and click on Applications > My Applications > SAML > Add Application > New SAML Application.

2.) Enter the Application Name. (Example: Jira Align) Click Continue to Next Step.

 

3.) For the Signing Certificate: Use the PingOne Signing Certificate or use your own. Make sure SAML v2.0 is selected for Protocol Version. The ACS and Entity ID will be the Jira Align site (https://<instance>.jiraalign.com). 

It should be noted that Jira Align requires BOTH Signed Assertion and Signed Response for SAML 2.0 Providers. If you are only able to sign one of the two, then you will need to select Signed Response and open a Jira Align Support Ticket to have the assertion response requirement set to False.

See Section C at the end of this article to see the Require Signed Saml Assertion field in Jira Align.

 

4.) Ensure Sign Response and RSA_SHA256 as the Signing Algorithm are selected. Click Continue to Next Step. (see image from Step 3).

5.) Create a SSO Attribute of Email / Email and make it required. Continue to Next Step.

6.) Copy the Single Sign-On URL and download the SAML Metadata for later. Click Finish.

Jira Align

7.) Sign into Jira Align and click Administration > Platform > Security.

8.) Click Add SAML Provider. 

9.) Paste in the SAML 2.0 Metadata from Ping (Step 6 from earlier).

10.) Click Save & Close.

11.) Set Enable SSO to Yes.

12.) Click Save Settings.

 

Testing

13.) Open up an incognito window in your browser and navigate to the Single Sign-On URL from Ping One (Step 6 from earlier).

 

A.) Additional Notes

• The user account you are testing from Ping One SAML 2.0 must be also configured on the Jira Align side.
• User accounts on the Jira Align side can be created using the following methods:
  • API 1.0
  • Excel Import
  • Manually created
  • Users automatically integrated from Jira (the user must be assigned to an integrated issue)

B.) Disable Manual Sign In

• Once you are confident that there are no known issues with SSO, you can go back to Platform Settings from earlier and set Disable Manual Sign In to Yes. 

You'll need to open a ticket with Jira Align to regain access if you get locked out while Disable Manual Sign In is turned on. 

• After you have set Disable Manual Sign In, you'll be able to fill out the following field:
  • Sign In URL (use the URL from step 6)

If for some reason your Sign In contains encoded characters (Example: %20 for space), you'll need to replace that with the non-encoded equivalent.

C.) Require Signed Saml Assertion 

• It should be noted that Jira Align requires BOTH Signed Assertion and Signed Response for SAML 2.0 Providers. If you are only able to sign one of the two, then you will need to make sure you are using Signed Response with Ping and open a Jira Align Support Ticket to have the assertion response requirement set to False.
• Ping will give you an option to also encrypt assertion in addition to signing assertion which Jira Align does not support. Please do not enable this option. 
• This Signed Assertion setting is unique to each SAML Provider so if you are using multiple SAML/SSO Providers that can only handle Signed Response, each one will need the Signed Assertion set to False in Jira Align.