An In-depth Guide to Atlassian Cloud OAuth Single Sign-On (SSO) with AWS Cognito

Atlassian Cloud OAuth Single Sign-On (SSO) with AWS Cognito

With Jira OAuth Single Sign-On (SSO) for Atlassian Cloud, you can securely log in to Jira Cloud using your AWS Cognito credentials. This app allows you to perform seamless Single Sign-On (SSO) into your Atlassian Access or Jira/Confluence Cloud accounts using your existing OAuth Provider credentials.

Pre-requisites

    1. Atlassian Guard (Atlassian Access) Subscription:
    Atlassian Guard is an additional subscription applied across the Atlassian Cloud products like Jira Software, Jira Service Management, Jira Work Management, Confluence, and Bitbucket. It is needed for Single Sign-On (SSO) or any Cloud Service that comes under Atlassian Guard.

    2. Domain Verification:
    The first step of Atlassian Guard starts with the Domain Verification process to enforce SSO on the managed user accounts. This process verifies that you own a valid domain for managing the user accounts and use the same domain name for the email addresses.

    Download and Installation

    • Log into your Jira instance as an admin.
    • Navigate to Apps → Explore more apps from the header menu.
    • Next, search for the miniOrange OAuth/OpenID SSO app.
    • Click on Try it free to begin a new trial of the app.
    • On the menu bar click on Apps and locate the OAuth/OpenID SSO app and click .

    In this guide, we will demonstrate the setup in three parts:

    • 1: Configure OAuth SSO connection between miniOrange App (as OAuth Client) and AWS Cognito (as OAuth Provider).
    • 2: Configure SAML SSO connection between Atlassian Guard (as SP) and miniOrange App (as IDP).
    • 3: Add users to the SSO Authentication policy, and enforce the SSO.

    Step 1. Configure AWS Cognito as a OAuth Provider

    • Once the plugin is installed, select the Apps dropdown from the top menu and click on mO Jira OAuth/OIDC SSO option. Jira app main menu with the Apps section open and the mO Jira OAuth/OIDC SSO app highlighted
    • Next, you will be prompted with a welcome pop-up window. Click Start Configuration. Welcome window of mO Jira OAuth/OIDC SSO app.
    • Copy the Callback URL and keep it handy as it will be required while setting up the OAuth application in AWS Cognito. Callback URL from mO Jira OAuth/OIDC SSO app to be configured in the OAuth Provider
    • After copying the callback URL, sign in to AWS Amazon. AWS Cognito SSO - Login to your AWS Cognito Application
    • Search for Cognito in the AWS Services search bar as shown below. AWS Cognito SSO - Search Cognito in App Services
    • Click on Create a User Pool button to create a new User Pool. AWS Cognito SSO - Create User Pool
    • Select the Application type as Traditional web application. Provide a name for your application and choose the required attributes. AWS Cognito SSO - Provide User Pool Details
    • Add the callback URL in the Return URL field. Click Create. AWS Cognito SSO - Paste Callback URL
    • Scroll down and click on the Go to Overview button. AWS Cognito SSO - Click on Go to Overview button
    • Go to Authentication methods and click Edit under Email. AWS Cognito SSO - Navigate to Authentication Tab
    • Enter the email address to send messages and click Save Changes. AWS Cognito SSO - Provide Email to Send message
    • Go to App Clients and either select or create a new App Client. AWS Cognito SSO - Navigate to App Client Section
    • Copy the Client ID and Client Secret for later use. AWS Cognito SSO - Copy Client ID and Secret
    • Go to Attribute permissions, click Edit, choose desired attributes, and click Save. AWS Cognito SSO - Select Attributes you want in Shopify
    • In the Login pages tab, click Edit. AWS Cognito SSO - Click on Edit for SSO Configurations
    • Ensure the Callback URL is correctly added. Select Cognito user pool, Authorization code grant, and scopes: Email, OpenID, Profile. Then click Save Changes. AWS Cognito SSO - Select Authorization Code Grant AWS Cognito SSO - OAuth Grant Type and Scopes
    • Go to the Users tab, then click Create user. AWS Cognito SSO - Create New user
    • Enter user details like email, phone number, and password. Click Create user. AWS Cognito SSO - provide email, password
    • Return to the miniOrange App configuration and click Next from the Callback URL screen.
    • Select Application Type as OIDC. Enter Client ID, Client Secret, Scopes (openid, email, etc.), and required endpoints. Then click Next. OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Create group

    Step 2. Set up SSO between Atlassian Guard and miniOrange

    • In the next window, you’ll find the Plugin Metadata details.
    • Copy IDP Entity ID, IDP SSO URL, and IDP Public X.509 Certificate and keep it handy. You’ll need these to configure the Identity Provider in the Atlassian Guard.
    • Open the Atlassian Admin Console and go to the Security tab.

    Note: In case you manage multiple organizations, you’ll have to select the intended one after accessing the admin console.

    • Click on Identity providers and select Other provider.
    • On the Atlassian admin dashboard, under the Security tab in the Identity providers section with the Other provider option highlighted.
    • Provide an appropriate name, select Set up SAML Single Sign-On, and click Next.
    • Now, paste the IDP Entity ID, IDP SSO URL, and Public X.509 Certificate that you copied from the plugin configuration.
    • Copy SAML details from mO Jira OAuth/OIDC SSO app and configure it on Atlassian Guard under the add SAML details section
    • Click Next and copy the Service Provider Entity ID and Service Provider Assertion Consumer Service URL. Keep these handy as they’re required to complete the plugin configuration.
    • Complete the rest of the Atlassian Guard configuration.
    • Once you’re done, return to the plugin configuration page, go to the SAML IDP Metadata tab, and click Next.
    • Enter the SP Entity ID and Assertion Consumer Service (ACS) URL that you copied, and click Next.
    • SAML SP configuration section in mO Jira OAuth/OIDC SSO app, where SP details are copied from Atlassian Guard

    Step 3: Configure SSO Authentication Policy

    Once all the SSO Configurations are done, you need to add users to the Authentication Policy and enforce Single Sign-On.

    Follow these steps:

    • Log in to Atlassian Cloud Admin Console, and go to the Security tab.
    • Under the Authentication Policies section, find the respective SSO policy and click Edit.
    • Select the checkbox for Enforce single sign-on option, then go to the Members section and add the new users to the policy.
    If you encounter any difficulties configuring miniOrange add-ons, please contact us at atlassiansupport@xecurify.com or raise a support ticket here.
    OAuth Saml App

    Did this page help you?

    miniOrange Atlassian Contact Us

    Book a Free Consultation with
    Our Experts Today!

    Schedule a call now!


    Contact Us