Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How can I configuration SAML in Keyclock to use atlassian cloud

Thanapon Srithundorn
Thanapon Srithundorn
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
August 31, 2018

How can I  configuration SAML  SSO in Keyclock to use atlassian cloud?

I got document to configure here

https://confluence.atlassian.com/cloud/saml-single-sign-on-943953302.html

But Keycloak  unsupported and document not have details enough to setting.

please help guide and show configure example.

Answer
Watch
Like Danny H. likes this
8957 views

4 answers

2 accepted

4 votes
Answer accepted
Philip Colmer
Philip Colmer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 6, 2021

Start by creating a SAML client in Keycloak. Call it whatever you like because we'll be changing it later.

In the Keycloak client configuration, turn OFF "Client Signature Required" and click on "Save".

In Atlassian Access, you need to provide three values:

"Identity provider Entity ID" - this will be your server's URL followed by /auth/realms/<realm name>

"Identity provider SSO URL" - this will be your server's URL followed by /auth/realms/<realm name>/protocol/saml

"Public x509 certificate" - this can be obtained from Keycloak. On our server, I found in under Realm Settings - Keys, then clicking on the Certificate button.

With the values entered, Atlassian Access will give you two URIs - SP Entity ID and SP Assertion Consumer Service URL.

Edit the SAML client you created in Keycloak. Change the client ID to be the "SP Entity ID" value. Copy the "SP Assertion Consumer Service URL" and paste it into "Valid Redirect URIs" and "Base URL". Click "Save".

That should do it. Just remember that SSO only works for validated domains.

View More Comments
Andreas Krupp
Andreas Krupp January 22, 2021

Hey @Philip Colmer ,

I can confirm that your user Guide works!

Thx a lot for sharing!

Cheers & best,

Andreas

Like
Preston Lee
Preston Lee
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
October 18, 2021

Excellent, it worked for me too! @Daniel , could you please correct the documentation? The older general instructions and screenshots are wrong.

Like Daniel likes this
Daniel
Daniel October 19, 2021

@Preston Lee i believe this message was not meant for me.

Like
Vipin
Vipin
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
February 3, 2022

Hey @Andreas Krupp , @Philip Colmer & @Preston Lee

Thank you for experiment keycloak using SAML sso. Yes the information was quite helpful to reach the endpoint but still I am experiencing an issue. In my case Keycloak is acting as a Identity broker from my LDAP server. LDAP authentication works and reach at my atlassian cloud site but it fails with user not found error. Is this due to anything related to policy? If you want more info, I am happy to provide the details from my client and realm. 

thank you, 

vipin 

Like
Philip Colmer
Philip Colmer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 3, 2022

@Vipin It is important to understand that these steps are for authentication.

It is not (currently) possible to use Keycloak as a means of provisioning users in Atlassian Access. In other words, you either have to manually create users in Atlassian Access so that users can then authenticate, or you have to find another way of getting users created in AA.

Within the Atlassian Admin pages, click on "Directory" and you'll see Managed accounts, User provisioning, G Suite and Domains. If you are synchronising from LDAP to G Suite, you can use that mechanism to provision users. Otherwise, you'll need to click on "User provisioning" to set up automatic provisioning.

For our setup, we're using Okta to synchronise from LDAP and then auto-provision to Atlassian. It generally works well although it doesn't like LDAP accounts that don't have a first name.

If it isn't user provisioning, perhaps you can provide some more details about how you are setting up the users.

Philip

Like Ondrej Havel likes this
Vipin
Vipin
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
February 3, 2022

Hi @Philip Colmer , 

 

Perfect, you got it right. Atlassian access didn't have access to the users and that denied the access to the Jira software. let me do a few more tests and update here! 

 

thanks a lot! 

Vipin 

Like
Reply
0 votes
Answer accepted
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 31, 2018

Hi Thanapon,

We don't specifically support / test against Keycloak, so it's covered in the Unsupported identity providers section of our setup document. The details in that section apply in general to any SSO provider that supports SAML (which Keycloak does).

On the other side of the equation, you can follow Keycloak's own documentation for setting up a Client for Atlassian Access to use.

Cheers,
Daniel

Reply
2 votes
mmrvelj
mmrvelj
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
July 17, 2023

I just want to confirm that I managed to configure SSO from Atlassian Access to Keycloak version 21.1.2. Keyclock changes UI quite often..

I mostly followed instructions here, but also needed to configure some things not explicitly mentioned here:

  • Enable "Sign documents" and "Sign assertions"
    • Set "SAML signature key name" to "KEY_ID"
  • This is mentioned, but I did not realize it first time: on client configuration under "Keys" tab -> disable "Client signature required"

I believe rest is mostly the same. 

 

Reply
0 votes
Harald Haas
Harald Haas
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
March 21, 2024

I have followed all the steps provided by @Philip Colmer and @mmrvelj but I am getting stuck with the following error upon redirect:

{"key":"badRequest","context":{"message":"Invalid customer saml login callback request","reason":"No In Response To in SAML Response"}}

Did anyone else face this issue and found a way around it?

It might be related to the keycloak issue #14055 but I am wondering, since everyone else got it running here, if there  has been a change in the JIRA SAML Authentication Flow or if I am missing a setting somewhere.

Thanks in advance!

   

Reply

Suggest an answer

Log in or Sign up to answer
Atlassian logo
Atlassian Guard
TAGS
AUG Leaders

Atlassian Community Events

    See all events