Atlassian Cloud SSO (Single Sign-On) using Keycloak as SAML Provider

Atlassian Cloud SAML Single Sign-On (SSO) with Keycloak

With Jira SAML Single Sign-On (SSO) for Atlassian Cloud, you can securely log in to Atlassian Cloud using your Keycloak credentials. This app enables seamless Single Sign-On (SSO) for Atlassian Cloud accounts using existing Keycloak credentials.

    Try it for free

Pre-requisites

  1. Atlassian Guard (Atlassian Access) Subscription:
    Atlassian Guard is an additional subscription applied across the Atlassian Cloud products, like Jira Software, Jira Service Management, Jira Work Management, Confluence, and Bitbucket. It is needed for Single Sign-On (SSO) or any Cloud Service across Atlassian Cloud products.

    2. References:

    https://www.atlassian.com/software/guard/guide/getting-started
    https://www.atlassian.com/licensing/atlassian-guard
  2. Domain Verification:
    An essential step to enforce SSO on managed user accounts through Atlassian Guard is Domain Verification. This process verifies that your organization has a valid domain for managing the user accounts and uses the same domain name for the email addresses.

    3. References:

    https://support.atlassian.com/user-management/docs/verify-a-domain-to-manage-accounts/

Download and Installation

  • Log in to your Atlassian Admin Console and select your site.
  • Now, in the left sidebar, scroll down to the Apps section. Under Apps, select Site, which will open the site settings page.
  • In the site settings, navigate to Connected Apps → Explore apps. (Alternatively, you can go to the Atlassian Marketplace and search for the app.)
  • Search for miniOrange SAML SSO.
  • Click “Try it free” to begin a new trial of the app.
  • Now, in the top menu bar, go to Apps.
  • Locate the “mO Jira SAML SSO” app and click to open it.

In this guide, we will demonstrate the setup in three parts:

  1. Configure SAML SSO connection between the miniOrange App (as SAML Client) and Keycloak (as SAML Provider).
  2. Configure SAML SSO connection between Atlassian Guard (as SP) and miniOrange App (as IDP).
  3. Add users to the SSO Authentication policy, and enforce the SSO.

Step 1. Configure SSO connection between the miniOrange App and Keycloak

  • Once the plugin is installed, select the Apps section from the sidebar menu and click on the mO Jira SAML SSO.
    • Jira app main menu with the Apps section open and the mO Jira SAML SSO app highlighted
  • Next, you will be prompted with a welcome pop-up window. Click Start Configuration.
    • Welcome window of mO Jira SAML SSO app.
  • Now, in the Configured Providers section, click the "Add Provider" button.
    • Configured providers section in the mO Jira SAML SSO app
  • Select Keycloak as the SAML provider.
  • Go to the SP Information Tab, copy SP Entity ID, ACS URL, and SP certificate, and keep it handy, as you'll need it to configure Keycloak as the SAML provider.
    • SP Information Tab in the mO Jira SAML SSO app
  • After copying the SP Entity ID, ACS URL, and SP certificate, navigate to the Keycloak admin dashboard and click on Clients → Create client.
    • Keycloak client list with Create client button highlighted
  • Select Client type as SAML, paste the SP Entity ID in the client ID, and ACS URL in the valid redirect URIs.
    • Keycloak create client page Login settings tab in the Keycloak create client page
  • Now, go to the realm settings and click on SAML 2.0 Identity Provider metadata.
    • Realm settings page with SAML 2.0 Identity Provider metadata link highlighted
  • Copy the entity ID, SSO URL, and IDP signing certificate.
  • Now, return to the miniOrange App configuration page. (SAML Provider Configurations)
  • Enter the IDP Entity ID (entity ID), Single Sign On URL (SSO URL), IDP Signing Certificate (X509 Certificate), and Email Attribute (email), and click Save Configuration.
    • mO Jira SAML SSO app configuration page where IDP Entity ID, Single Sign On URL, IDP Signing Certificate, and Email Attribute can be entered

Step 2. Set up SSO between Atlassian Guard and miniOrange App

After saving the SAML Configuration, you’ll be required to configure Atlassian Guard and the miniOrange SAML SSO App.

  • A pop-up notification will appear, asking you to complete the Atlassian Guard configuration.
    • Pop-up notification asking to complete the Atlassian Guard configuration for Keycloak
  • Click on Configure Guard, and you will be navigated to the Guard Configurations section.
  • In this section, you will find the Plugin Metadata details.
  • Copy and keep the following values handy. You’ll need them while setting up your Identity Provider in Atlassian Guard:
    • IDP Entity ID
    • IDP SSO URL
    • IDP Public X.509 Certificate
      • Atlassian Guard configuration for Keycloak
    1. Open the Atlassian Admin Console and navigate to the Security tab.
      2. Note: In case you manage multiple organizations, you’ll have to select the intended one after accessing the admin console.
    2. Under User Security, click Identity Providers.
    3. Select Other to begin configuring a custom Identity Provider.
      4. Choose an IDP in Atlassian Guard
  • Provide an appropriate name, select Set up SAML Single Sign-On, and click Next.
  • Now, paste the IDP Entity ID, IDP SSO URL, and Public X.509 Certificate that you copied from the plugin configuration.
    • Paste IDP URLs in Atlassian Guard
  • Click Next and copy the Service Provider Entity ID and Service Provider Assertion Consumer Service URL. Keep these handy as they’re required to complete the plugin configuration.
  • Complete the rest of the Atlassian Guard configuration.
  • Once you’re done, return to the plugin, go to the SP Metadata tab in the Guard Configurations section, and click Next.
  • Enter the SP Entity ID and Assertion Consumer Service (ACS) URL that you copied, and click Save Settings.
    • Atlassian Guard configuration for Keycloak

Step 3: Configure SSO Authentication Policy

Once all the SSO Configurations are done, you need to add users to the Authentication Policy and enforce Single Sign On.

After saving the SP Metadata, click Next to find the steps for adding the users to the Authentication policy.

Atlassian Guard configurations page where Authentication Policy tab can be found

Now you can seamlessly enjoy Single-Sign On into Atlassian with your preferred SAML provider, with our miniOrange app.

OAuth Saml App

Did this page help you?

miniOrange Atlassian Contact Us

Book a Free Consultation with
Our Experts Today!

Schedule a call now!


Contact Us