Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Portal-only customer SSO with Azure B2C

Jakob Wolf
Jakob Wolf June 27, 2024

Hi all.

 

We want to implement SSO with Azure B2C as identity provider for Portal-only customer. We tried pretty much anything (including using the enterprise application in azure, which is not intended for azure b2c). In the end, we always get errors like "Invalid customer saml login callback request" or similar.

 

- We create a custom flow in Azure b2c. I can confirm that it works in general as we use it already in different scenarios.

- We added the "Service provider assertion consumer service URL" from Atlassian as redirect url in the app registration.

- We added the correct values to identity provider (entity id, sso url and x509 cert). Taken directly from the Azure B2C metadata XML.

 

I think the main problem here is that Atlassian does not provide any metadata xml. Which is needed for SAML 2.0 to work. In Azure B2C this must be set as PartnerEntity.

 

We also tried to add it manually like:

 

 

<Item Key="PartnerEntity"><![CDATA[<?xml version="1.0"?>

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://auth.atlassian.com/saml/<guid>">  

    <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

      <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://id.atlassian.com/v2/customer/login/saml/callback?connection=saml-<guid>" index="0" isDefault="true"/>

    </md:IDPSSODescriptor>

</md:EntityDescriptor>]]></Item>

but that did not work either.

 

So, my question: did anyone ever get Portal-only customer SSO with Azure B2C to work? Or is this just not supported?

Any input is appreciated.

Answer
Watch
Like Be the first to like this
693 views

3 answers

1 vote
Camilo Terevinto
Camilo Terevinto
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
November 3, 2024

Hi all,

It took quite a bit of effort to get there but I managed to get this working recently. I've blogged about it here and you can do this for free using custom policies, no need for external add-ons.

Any questions/comments, feel free to post them on the blog.

Reply
0 votes
Cameron McDougall
Cameron McDougall
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
July 31, 2024

@Jakob Wolf did you ever end up figuring this out, needing clear instructions on how to setup and get going Azure B2C SSO access but there's just no documentation anywhere and support have been horrible!

View More Comments
Aditya_miniOrange
Aditya_miniOrange
Contributor
July 31, 2024

Hi @Cameron McDougall 

Setting up SAML with Azure B2C SSO is not that simple but it can be possible. You can have a look at the documentation here - https://www.miniorange.com/atlassian/sso-integration-with-helpdesk-using-azure-b2c

To discuss this in detail, you can reach out to us from here. I'll make sure that a miniOrange representative will help you with all the details.

PS: I work for miniOrange, One of the Security vendors in Atlassian Marketplace.

Thanks,

Aditya

Like
Jakob Wolf
Jakob Wolf August 2, 2024

@Cameron McDougall actually i think i did.

You need to set the metadata for atlassian yourself in the custom policy like this:

<Metadata>
        <Item Key="PartnerEntity"><![CDATA[<?xml version="1.0"?><EntityDescriptor entityID="https://auth.atlassian.com/saml/{org-guid}" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
            <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">      
              <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://id.atlassian.com/saml/logout"/>
              <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://id.atlassian.com/v2/customer/login/saml/callback?connection=saml-{org-guid}" index="1"/>
            </SPSSODescriptor>
          </EntityDescriptor>]]></Item>
      </Metadata>

You also need to change the claim of you email:

 

<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />

I have yet to implement it in a production environment though.

In Atlasstian configuration for portal-only SAML, set the IP entity ID to entityID you get from your Azure B2C metadata and for the IP SSO URL use the SingleSignOnService  value (also from your metadata).

Like
manuel_reinhart
manuel_reinhart
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
September 4, 2024

@Jakob Wolf 
It seems, you are the only one who got this done.
I tried it by hosting the jira metadata xml with a webserver and linked the url to the manifest of the app registration. It worked, but only for one day and now i can´t get it working again. It is terrible to try out different settings because of the lag time after a policy upload.

Can you please sum up, where you set the entity ID of jira and where the entity ID of B2C (identifierUrls, CustomPolicy etc.)?

Thanks in advance

Like
Reply
0 votes
Aditya_miniOrange
Aditya_miniOrange
Contributor
July 15, 2024

Hi @Jakob Wolf ,

Your use-case of implementing SSO with Azure B2C as an identity provider for portal-only customers can be solved by our add-on SAML/OAuth SSO for JSM Customers and the miniOrange Solution.

If you would like a demo of the app please raise a service request here and a miniOrange representative will help you with all the details.

PS: I work for miniOrange, One of the Security vendors in Atlassian Marketplace.

Thanks,

Aditya

View More Comments
Jakob Wolf
Jakob Wolf July 15, 2024

Hi Aditya

 

You Addon does not support Azure B2C for SAML - only for OAuth. As stated, we want SAML.

It also does not mention Custom Flows at all.

 

Regards

Jakob

Like
Aditya_miniOrange
Aditya_miniOrange
Contributor
July 15, 2024

Hi @Jakob Wolf 

The Use Case for Azure B2C can be solved via our miniOrange Identity Brokering and the add-on mentioned above. To discuss this in detail, you can reach out to us from here. I'll make sure that a miniOrange representative will help you with all the details.

Thanks,

Aditya 

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira Service Desk
Jira Service Management
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
TAGS
AUG Leaders

Atlassian Community Events

    See all events