Atlassian Cloud OAuth Single Sign-On (SSO) with Google Apps
With Jira OAuth Single Sign-On (SSO) for Atlassian Cloud, you can securely log in to Jira Cloud using your Google Apps credentials. This app allows you to perform seamless Single Sign-On (SSO) into your Atlassian Access or Jira/Confluence Cloud accounts using your existing OAuth Provider credentials.
Pre-requisites
1. Atlassian Guard (Atlassian Access) Subscription:
Atlassian Guard is an additional subscription applied across the Atlassian Cloud products like Jira Software, Jira Service Management, Jira Work Management, Confluence, and Bitbucket. It is needed for Single Sign-On (SSO) or any Cloud Service that comes under Atlassian Guard.
2. Domain Verification:
The first step of Atlassian Guard starts with the Domain Verification process to enforce SSO on the managed user accounts. This process verifies that you own a valid domain for managing the user accounts and use the same domain name for the email addresses.
Download and Installation
- Log into your Jira instance as an admin.
- Navigate to Apps → Explore more apps from the header menu.
- Next, search for the miniOrange OAuth/OpenID SSO app.
- Click on Try it free to begin a new trial of the app.
- On the menu bar click on Apps and locate the OAuth/OpenID SSO app and click .
In this guide, we will demonstrate the setup in three parts:
- 1: Configure OAuth SSO connection between miniOrange App (as OAuth Client) and Google Apps (as OAuth Provider).
- 2: Configure SAML SSO connection between Atlassian Guard (as SP) and miniOrange App (as IDP).
- 3: Add users to the SSO Authentication policy, and enforce the SSO.
Step 1. Configure SSO connection between miniOrange App with Google Apps
- Once the plugin is installed select the Apps dropdown from the top menu and click on mO Jira OAuth/OIDC SSO option.
- Next, you will be prompted with a welcome pop-up window. Click Start Configuration.
- Copy the Callback URL and keep it handy as it will be required while setting up the OAuth application in Google Apps.
- After copying the callback URL, visit Google's Developer Console and log in to your account.
- Click Select a project, then NEW PROJECT, and enter a name for the project, and optionally, edit the provided project ID. Then click on the Create button.
- Select your project, click on APIs & Services, and select the OAuth consent screen option.
- On the Consent screen page, select the User Type and click on Create. In the next screen, provide the Application name and save the changes.
- Now go to Credentials, click on Create Credentials, and select OAuth Client ID.
- Select Web Application as the application type.
- Click on the Add URI button in the Authorized Redirect URIs section. Enter the callback URL copied from the miniOrange app. Click on Create.
- Copy the Client ID and Client Secret to your clipboard, as you will need them when you configure the miniOrange plugin.
- To send the user's group to the client application, you need to enable Admin SDK and API access. For Admin SDK, navigate to the Dashboard and click on ENABLE APIS AND SERVICES.
- Now search for Admin SDK, select it from the list, and then click on the ENABLE button.
- To enable API Access you need to login into the Google Admin console. In Google Admin Console, go to Security ->Settings.
- Look for API Permissions -> Enable API access.
- Now, return to the miniOrange App configuration page and click Next from the Callback URL screen.
- Select Application Type as OIDC. Enter Client ID, Client Secret, Scopes (such as openid, email, etc.), and other required endpoints. Then click Next.















Step 2. Set up SSO between Atlassian Guard and miniOrange
- In the next window, you’ll find the Plugin Metadata details.
- Copy IDP Entity ID, IDP SSO URL, and IDP Public X.509 Certificate and keep it handy. You’ll need these to configure the Identity Provider in the Atlassian Guard.
- Open the Atlassian Admin Console and go to the Security tab.
Note: In case you manage multiple organizations, you’ll have to select the intended one after accessing the admin console.
- Click on Identity providers and select Other provider.
- Provide an appropriate name, select Set up SAML Single Sign-On, and click Next.
- Now, paste the IDP Entity ID, IDP SSO URL, and Public X.509 Certificate that you copied from the plugin configuration.
- Click Next and copy the Service Provider Entity ID and Service Provider Assertion Consumer Service URL. Keep these handy as they’re required to complete the plugin configuration.
- Complete the rest of the Atlassian Guard configuration.
- Once you’re done, return to the plugin configuration page, go to the SAML IDP Metadata tab, and click Next.
- Enter the SP Entity ID and Assertion Consumer Service (ACS) URL that you copied, and click Next.



Step 3: Configure SSO Authentication Policy
Once all the SSO Configurations are done, you need to add users to the Authentication Policy and enforce Single Sign-On.
Follow these steps:
- Log in to Atlassian Cloud Admin Console, and go to the Security tab.
- Under the Authentication Policies section, find the respective SSO policy and click Edit.
- Select the checkbox for Enforce single sign-on option, then go to the Members section and add the new users to the policy.

Additional Resources
Did this page help you?