Atlassian SAML Handbook

Service Provider Info

You need to configure both the Identity Provider and the Service Provider to perform any Single Sign-On operation. To configure the Service Provider as an application on the Identity Provider some details about the Service Provider are needed. You can find these details in the Service Provider Info tab. 

IDP Setup Guides

 The app supports Single Sign-On with a number of Identity Providers including ADFS, Auth0, AuthAnvil, Azure AD, Bitium, CA Identity, Centrify, Keycloak, Okta, G Suite, OneLogin, OpenAM, Oracle, Ping One, PingFederate, RSA, SalesForce, Shibboleth 2, Shibboleth 3, SimpleSAML PHP, WSO2 and miniOrange. You can access the setup guide for each Identity Provider by selecting it in the drop-down menu. Feel free to get in touch with us if you need assistance configuring the app with any Identity Provider.

Service Provider Metadata Information

Provide this metadata to your Identity Provider to establish the Application being used as a Service Provider/Relying Party. The app allows you to customize the metadata so that you can provide your details to the Identity Provider.

Click on the Customize Metadata button. In the pop-up form you will find fields to add your organization details along with technical and support contact details. Below the fields to provide these details are options to choose which certificates will be sent in the metadata. Depending on the features supported by the IDP, the plugin can sign the request and decrypt authentication responses for better security and stronger validation. The options provided are :

  • Include Signing Certificate in Metadata:– If enabled, public certificate of the plugin will be added in the Service Provider Metadata and it will be used by the IDP to verify the Signature in the SAML Request from the application.
  • Include Encryption Certificate in Metadata:– If enabled, public encryption certificate of the plugin will be added in the Service Provider Metadata that will be used by the IDP to encrypt the SAML Response.

Metadata URL: The provided metadata url will be in this format : <Application Base URL>/plugins/servlet/saml/metadata. Metadata URL provides the application’s SAML Metadata information that will be used to configure the application in the IDP as a service provider in one go. 

 

Configure IDP manually

In-case you choose to configure the Service Provider details on the Identity Provider manually, then you can use the provided URLs. Copy the required fields like SP Entity IDACS URL, Audience URI, Recipient URL, Destination URL and paste them in your IDP SAML Configuration to add the application as a SAML Service Provider.

Configure Service Providers URLs (Optional)

The application allows you to change the SP BASE URL and SP ENTITY ID to values other than the set defaults.   

  • SP Base URL: If your Atlassian application is running behind a proxy, your IdP will need the proxy SAML Endpoint. You can update the SP (Service Provider) Base URL accordingly. Updating this will also update URLs in the metadata so SP information has to be re-configured in IDP again. By default, it is configured as the current Base URL of your Atlassian application.
  • SP Entity ID:  It also referred to as Issuer. It is used by the Identity Provider to uniquely identify your Atlassian application.

Import IdP Metadata

Once you have configured your Atlassian application as a SAML Service Provider then the Identity Provider will give you it’s Metadata in the the form of either an XML file or a URL. In-case you wish to configure the application manually, then please note down or copy the information listed below. This information will be used to configure the SAML Identity Provider in the Configure IDP tab of the plugin.

  1. IdP Entity ID or Issuer
  2. Single Sign-On Service URL
  3. Single Logout URL(optional)
  4. NameID Format(by default selected as unspecified.)
  5. X.509 Signing Certificate(IDP Signing Certificate)