Hello all,
Very new to Atlassian and Jira and I am trying to set up SSO with AzureAD Connect. I do not know where to find my organisation's Atlassian unique ID.
I am trying to update these two values:
https://auth.atlassian.com/saml/<unique ID>
https://auth.atlassian.com/login/callback?connection=saml-<unique ID>
I am following this tutorial: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-atlassian-cloud-tutorial
It has a note: The preceding values are not real. Update them with the actual identifier, reply URL, and sign-on URL values. You can get the real values from the Atlassian Cloud SAML Configuration screen. We explain the values later in the tutorial.
I have read the rest of the tutorial and it doesn't mention where I get the real values. The SAML Configuration screen does not contain any Unique ID information.
If I can find my way back here I will post an update if I discover the answer.
So if you just save the Azure application without the proper then setup SAML in Atlassian you are then given the values you need to go back to the Azure application.
I still don't have it working but at least this step I understand.
Hi Luke,
I got it working after quite a bit of configuration effort. The short answer is that you are probably missing the trailing /saml2 part of the url in the Identity provider SSO URL shown in Atlassian site admin > SAML single sign-on.
For the sake of completeness, I'm including steps that you've clearly completed successfully and also that show how I got to this missing piece of this configuration puzzle.
1. From Atlassian site admin, I verified the Azure domain by adding the TXT record as instructed.
2. In Azure, I added the Atlassian Cloud application to Azure AD and configured it to use SAML-based Sign-On.
3. In Atlassian site admin, I configured SAML as follows:
- Identity provider Entity Id: https://sts.windows.net/<my directory id>
- Identity Provider SSL URL: https://login.microsoftonline.com/<my directory Id>
-- The directory id is located on the Azure AD properties page.
4. I copied the text from my X509 certificate generated in Azure and added that to the SAML configuration in Atlassian site admin > SAML single sign-on. You'll find the certificate in Azure under Atlassian Cloud > Single Sign-on. I saw some documentation suggesting that you need to remove the Begin and End Certificate text. That's not true.
5. As you stated, after I saved the configuration, Atlassian site admin returned an SP Entity ID value and SP Assertion Consumer Service URL value.
6. I returned to Azure and copied the first value to:
- Identifier (Entity ID): https://auth.atlassian.com/saml/<id value provided by Atlassian>
and the second value to:
- Reply URL: https://auth.atlassian.com/login/callback?connection=saml-<id value provided by Atlassian>.
7. Here's the important last step that I missed and it looks like you might have missed too because no where does it say you need to do this! In Azure I navigated to Atlassian Cloud - Single sign-on. At the bottom of that pane, I clicked the option that reads: Configure Altassian Cloud.
8. I scrolled down to near the bottom of that page and found the Quick Reference Section. There I saw two values. The first value: Azure AD Single Sign-On Service URL is the one I needed to update in Atlassian. Notice that this value contains a trailing /saml2 value on it: https://login.microsoftonline.com/<your directory id>/saml2. After updating the Identity provider SSO URL in Atlassian with this new value, SSO began working.
Note, there are additional user configuration steps that you might have to take in Azure, but I don't believe it's mandatory to do this. By default, I believe user policy is disabled in Azure for this type of connection.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@Ethan Wilansky they should put your explanation instead of the official one. Great job, and THANKS!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for all the feedback! I had to battle this configuration for a while and didn’t want anyone else to struggle through this because the documentation was inadequate.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
This article is gold! I just wished that I found it sooner. 1 question. I'm testing this for my org and I would like to know how can I isolate this for my self temporarily without importing my whole org? During the setup process, it looks like all of my managed accounts got imported.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Gershon Chapman,
Are you referring to the last step in the AAD documentation (https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/atlassian-cloud-tutorial) where you create Atlassian Cloud test users? I'm not quite following where you're seeing the all-org import.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@LocalAdmin I'm not sure if this has anything to do with it. But what I'm referring to is this. During my domain DNS verification process, I had imported a bunch of accounts here. Thinking it associated these cloud accounts with my AAD cloud accounts.
When I added the appropriate URLs in the Atlassian Cloud app to flip on SSO. I also added myself to the users and groups thinking I'd be the only person to use and test it for now before I added the rest of my users. That wasn't the case this AM when I had another user report to me that they weren't able to login with their Atlassian cloud creds. I had to add them as well as they were being presented with an error that they didn't have the appropriate role.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Two questions.
I have an automation account that's not apart of my domain that's associated with Replicon for time integration and tracking. How will this be impacted or will be impacted at all?
Now that I have turned this on for Jira. Does this extend to the other Atlassian products like Bitbucket? Or will I have to turn it on there?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.