Atlassian SAML Handbook

Manual Configurations

If you have the following information from your IDP, you can configure the plugin by manually adding this information in the respective field. Here are the required fields:

IDP Name (required)


You can enter a name for your IDP in this field.. This field will be useful if you have configured multiple SAML IDPs.
For example, if you configure 2 IDPs namely IDP1 and IDP2, you can edit, test or delete them easily from the list as shown in the image below:

IDP Entity ID/Issuer (required)


A unique URI/name used to identify the Identity Provider. This ID is provided by all SAML 2.0 compliant IDPs. Also, this is required for SAML SSO to work properly. The app uses IDP Entity ID to validate SAML Response.

Send Signed Request (required)


The plugin will send signed SAML Authentication Request to the SAML IDP during SSO. Most of the IDPs verify the signature of the SAML request before performing SSO. You’ll need to add the public certificate of the app as signing certificate in the IDP to use this feature.

This public certificate is available for download in Service Provider Info tab of the app. You can also change it and add your own certificate in Certificates tab. Click here for more information about this.

Single Sign-on URL (required)


An endpoint from IDP responsible for parsing the SAML Authentication request. The plugin sends SAML Request to this endpoint after initiating SSO. The SAML SSO URL might change according to the binding type selected in the app. Refer to the binding type section to know how to determine binding type and SSO URL.

Single Logout URL (optional)


An endpoint from IDP responsible for parsing the SAML logout request. The plugin sends SAML Logout Request to this endpoint after user logs out from the application. The SAML SLO URL might change according to the binding type selected in the app. Refer to the binding type section know how to determine binding type and SLO URL.

This is an optional field. Configure it, only when you want to logout users from IDP after they log out from the application.

SSO and SLO Binding Type (required)


The app sends XML Messages to IDP to perform Single Sing On and Single Logout. These SAML Messages are called SAML Request and Logout Request respectively. The Binding Type defines how the app will send these messages.

HTTP Redirect:

The SAML Request message is sent as a GET request to IDP when HTTP redirect is selected. This means that the app will send SAML Request in URL parameters. This increases the length of the URL significantly. The URL length is even larger if signed request is sent.

Some IDPs have a limit on the length of the URL, hence we recommend not using this method if your IDP supports HTTP-POST.

HTTP Post:

The SAML Request message is sent as a POST request to IDP when HTTP Post is selected. This allows you to send SAML Request to IDP without increasing the length of the URL and hence it is recommended to use this binding type.

How to know which Binding Type your IDP supports?

You can find this information in IDP’s metadata file.

  1. Open IDP’s metadata
  2. Search for SingleSignOnService.
  3. Check the value of Binding attribute. You can see in the image below that this sample IDP supports both Binding Types

  4. The value of Location attribute is the Single Sign-On URL for that binding type.

 

 

NameID Format


NameID is considered as a unique identifier of the user performing SSO. Some IDPs require SP to request a specific NameID format for SSO to work properly. Keep the value of this field Unspecified if your IDP doesn’t require any specific NameID format.

IDP Signing Certificate:


This is the public signing certificate provided by the IDP. IDP signs the SAML Response before sending it to the app. The app uses this public certificate to verify the signature in the SAML Response.

 

Manual Configuration Fields image


Other Features/ Troubleshooting Options


Test Configuration 

You can use this button to verify your configurations. Once you click on this button,

  • a pop up window will open.
  • This will initiate an SSO flow and you’ll need to log in to the IDP. If you’re already logged into the IDP, this step will be skipped
  • Once you log in, you’ll see a test status window.

If,

  • Configurations are correct: You’ll see a Test Successful message with a list of attributes from the IDP as shown below.
    Test Success
  • Configurations are incorrect:  you’ll see a Test Failed message with the cause of the error and resolution as shown below.
    Test Failed
  • Test Failed: You can send a screenshot of this window to miniOrange support for troubleshooting.

View SAML Request

This button allows you to view and download the SAML Request sent to the IDP. Here’s how it looks:

If you face any issues during Test Configurations, you can send this file to miniOrange Support for troubleshooting. 

View SAML Response

This button allows you to view and download the SAML Assertion received from the IDP. Here’s how it looks:

If you face any issues during Test Configurations, you can send this file to miniOrange Support for troubleshooting.

Add New IDP Button

This button will open a new configuration form where you can add another IDP.