Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,359,854
Community Members
 
Community Events
168
Community Groups

How to authenticate into Jira, Confluence, and Bitbucket with your AWS Application Load Balancer

Problem statement

Most Atlassian Data Center installations are hosted on AWS. That gives the option to enable the Amazon’s Application Load Balancers (ALBs) you're already using for distributing traffic among nodes to also handle authentication.

There are mainly 2 advantages to this approach.

  • First, it shields the Atlassian product from all unauthenticated traffic, offering an additional layer of security and making DDoS attacks and similar threats impossible.

  • Secondly, it offloads the authentication away from your instance, increasing performance even when thousands of users are logging in at the same time in peak hours.

Unfortunately, there are also several nuisances setting this up out of the box.

  • Users must authenticate twice. Once, via the IdP when the request is intercepted by the AWS ALB. A second time, when the user actually reaches the Atlassian application. This can be particularly upsetting, as users need to remember to use their IdP password up front, followed by their local password.

  • If you use SSO, you must setup and maintain the two configurations. SSO gets rid of the second authentication event for the user. However, it also increases complexity and makes debugging of failed authentication attempts significantly more difficult. You want to keep your application architecture as simple as possible.

Solution: Setting up seamless authentication with AWS ALB into Atlassian products

AWS_Infographic_AWS_Infographic_Blog_1.png

At resolution, we have published AWS ALB and Amazon Cognito Authentication, an app that creates a seamless authentication flow between the ALB, the IdP, and the Atlassian application.

AWS_Logo_80x80px-13-13.png

  • The app takes information from the OIDC tokens and token claims during the authentication exchange between the ALB and the IdP, then uses that information to log in the user into the Atlassian app.
  • Users are automatically logged into Jira, Confluence or Bitbucket once they authenticate through the IdP.

Prerequisites

  • Atlassian applications hosted in AWS

  • An active Application Load Balancer (ALB)

  • An OIDC-compliant identity provider, such as Okta, Azure AD, or GSuite. Alternatively, you can use SAML-compliant IdPs combined with Amazon Cognito user pools

Steps

  1. Install AWS ALB and Amazon Cognito Authentication for Jira, Confluence, or Bitbucket (coming soon)

  2. Configure your IdP and your AWS ALB. Here you have the complete setup with Azure AD, but do let us know if you need help setting up any other IdPs.

  3. From within the AWS ALB Authentication app configuration in your Atlassian application, select the preset for your IdP and follow the steps of the documentation.

image-20210329-092819(1).png

Save the configuration. If you run into any issues, get in touch with our support team and we’ll gladly help you set it up!

2 comments

M Amine Community Leader Jun 09, 2021

Great article to read

Capi _resolution_ Marketplace Partner Jun 10, 2021

Thanks, @M Amine!

Comment

Log in or Sign up to comment
TAGS
Community showcase
Published in Apps & Integrations

Apps for Confluence you won't want to miss: RSVP for September's Appy Hours

Calling all collaborators and Confluence users! Our Appy Hours event on September 29th features 4 presenters demoing functionality to superpower Confluence. Don't miss learning about these apps i...

112 views 0 9
Read article

Atlassian Community Events