Jira SAML app gives the ability to enable SAML Single Sign-On for Jira Software and Jira Service Desk. Jira Software and Jira Service Desk are compatible with all SAML Identity Providers. Here we will go through a guide to configure SAML SSO between Jira and your Identity Provider. By the end of this guide, users from your Identity Provider should be able to login and register to Jira Software and Service Desk.
To integrate your IDP with Jira, you have to ensure the following prerequisites are met:
Now, let’s look at how you can download and install the miniOrange Jira SAML Single Sign On (SSO) plugin for your Jira Data Center.
<MetadataProviderxsi:type="InlineMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata" id="MyInlineMetadata">
<EntitiesDescriptorxmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<md:EntityDescriptorxmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="<ENTITY_ID_FROM_PLUGIN>">
<md:SPSSODescriptorAuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration=
"urn:oasis:names:tc:SAML:2.0:protocol">
<urn:oasis:names:tc:SAML:1.1:nameidformat:emailAddress</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:https-POST"
Location="<ACS_URL_FROM_PLUGIN>" index="1"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
</EntitiesDescriptor>
</MetadataProvider>
<resolver:AttributeDefinitionxsi:type="ad:Simple" id="email" sourceAttributeID="mail">
<resolver:Dependency ref="ldapConnector" />
<resolver:AttributeEncoderxsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:1.1:
nameid-format:emailAddress"/>
</resolver:AttributeDefinition>
<afp:AttributeFilterPolicy id="releaseTransientIdToAnyone">
<afp:PolicyRequirementRulexsi:type="basic:ANY"/>
<afp:AttributeRuleattributeID="email">
<afp:PermitValueRulexsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
IDP Entity ID | https://<your_domain>/idp/shibboleth |
Single Login URL | https://<your_domain>/idp/profile/SAML2/Redirect/SSO |
X.509 Certificate | The public key certificate of your Shibboleth server |
Quick Setup streamlines the initial configuration process by automatically handling all essential details required for a basic SSO setup. This allows you to quickly enable SSO functionality and then configure more advanced features at your own pace.
You can follow the steps provided below initiate a Quick Setup:
2.1: Service Provider Metadata
After selecting your preferred IDP, you’ll be taken to the Service Provider (SP) Metadata section. Here, you will find the metadata that you need to provide to your IDP.
The setup gives you two ways to add this metadata to your IDP. Let’s explore these two methods in depth:
2.1.1: Importing the metadata
2.1.2: Manually adding the metadata
2.2: Configuring your Identity Provider
Let’s explore how you can configure your IDP using the metadata.
2.2.1: Custom IDP name
2.2.2: Adding the IDP metadata
Next, you can scroll down on the same page to add IDP metadata. Our plugin provides three ways for you to add your IDP metadata. You can select any one of the three methods using the corresponding dropdown list.
Let’s look at the three options individually:
2.2.2.A: I have the metadata URL for my IDP
2.2.2.B: I have a file which contains the metadata
2.2.2.C: I want to manually configure the IDP
2.2.3: Testing the configuration
2.3: User Profile
With the Identity Provider (IDP) configured, we will now set up the basic user profile attributes for your Service Provider (SP).
2.3.1: Matching a user
2.3.2: Setting profile attributes
2.4: User Groups - Default groups
2.5: Troubleshooting and Support
Here, you can review the results of a successful test configuration, including the attributes received from your IDP, the SAML request sent, and the SAML response received.
The Quick Setup method establishes basic SSO functionality for your end-users. However, you can further customize your setup by utilizing the full set of features provided by the plugin.
To access advanced configuration options:
2.1: Service Provider Metadata
If you intend to customize your IDP setup from the start, you can find the required Service Provider (SP) metadata under the SP Metadata section. It contains essential information about your SP configuration that you will need to provide to your IDP for seamless integration.
There are multiple ways to add this metadata to your IDP:
2.1.1: Importing the metadata
2.1.2: Manually add the metadata
If you wish to add the metadata manually, you will find the following information in this section. You will need to provide these details to your IDP.
2.2: Configuring Your Identity Provider
The manual setup flow allows you to dive into the complete set of configurations provided by the plugin to add a SAML IDP.
The steps to configure an IDP using the Manual Setup option are:
2.2.1: Adding IDP Metadata
There are three ways you can configure IDP settings with the information you have been given by your IDP team:
2.2.1.1: By Metadata URL
2.2.1.2: By Uploading Metadata XML File
2.2.1.3: Manual Configuration
Go to Manual Configuration tab and enter the following details:
2.3: User Profile
2.3.1: Finding correct attributes
2.3.2: Setting profile attributes
2.3.3: Matching a user
When a user logs into Jira, one of their attributes from the IDP is used to search for their account. This enables Jira to detect the user and log them into the corresponding account.
You can configure it using the steps given below:
2.4: User Groups
Now, let's move on to configure user group attributes for Jira. This feature allows you to replicate the user groups present in your IDP within your Service Provider (SP) environment.
You can accomplish this in the following ways:
2.4.1: Setting default group
2.4.2: Finding Group Attribute
Similarly to how you identified the Attribute Names for User Profiles, you will need to locate the attribute name corresponding to group information.
Here’s how you can do this:
2.4.3: Group Mapping
Group Mapping can be done in two ways:
2.4.3.1: Manual Group Mapping
2.4.3.2: On-The-Fly Group Mapping
2.5: Troubleshooting and Support
Thank you for your response. We will get back to you soon.
Something went wrong. Please submit your query again
Enable 2FA/MFA for users & groups and let users configure 2FA during their first login.
Know MoreSynchronize users, groups & directory with SCIM & REST APIs for Server/DC.
Know MoreSecure your JIRA Data Center/Server REST API using API Tokens.
Know MoreIf you don't find what you are looking for, please contact us at support-atlassian@miniorange.atlassian.net or raise a support ticket here.