Atlassian SAML Handbook

1. Sign In Settings

Login Button Text

By default, the plugin adds an SSO button to your login page. After clicking on this button, the plugin will redirect users to IDP and they can perform SSO. The text entered in this field will be the title of the button.

Relay State URL

You can define a URL where all users will be redirected to after SSO regardless of which page they started with. If you want to redirect users to the page they wanted to access in first place, leave this field blank.

Auto Redirect to IDP

Enable this option if you want to disable default password based login of Jira for all your users. If this option is enabled, the plugin will force SSO and redirect all the unauthenticated traffic to IDP.

Enabling this option will show you some sub options as given in the image below.

  • Disable Anonymous access (Only available in Jira):
    Some Jira pages such as about, credits, create issue can be accessed by unauthenticated users. If you want only logged in users to be able to access these pages, use Disable Anonymous Access option.
  • Backdoor/Emergency URL:
    If Auto-redirect is enabled, all users are forced to use SSO, even administrators. Now if in any case, SSO doesn’t work or IDP is not accessible, the administrators will need a way to log into the application to troubleshoot the issue. So to access the application, they need to log in with their local credentials.

    The Backdoor URL allows them to access the login page of the application without being redirected to IDP, i.e., entering this URL in browser will show you the login page and you can enter your username and password to log in. You can also edit the Backdoor URL to create your own.

    • Restrict Backdoor URL:
      Backdoor URL allows you to login with your application credentials and bypass SSO and in some organizations, only administrators or a particular group of users should be allowed to bypass SSO. Enabling this option secures your backdoor URL by allowing only particular groups to access it.

      • Backdoor Groups: Group(s) of the user allows to access Backdoor URL for eg. jira-administrator, in this case only JIRA Administrators will be able to access the JIRA login page and any user who is not JIRA Administrator will be redirected to IDP.

  • Enable Auto-Redirect Delay: Introduce a delay on the login page before the user gets redirected to the IDP for authentication. So a user will see a progress bar on the login page which gives him a 5 seconds window to cancel redirection to IDP.
    Recommended if you have a different sets of users some of whom are using SSO and others are using local login. It can also be used for testing Auto-redirect functionality.

Secure Admin Login Options (Only available in Jira and Confluence)

  • Login as admin only once during SSO: User’s admin session will be created on the first login. When the admin session expires, the administrator won’t be redirected to IDP. Instead, the admin login page will be shown.
  • Login administrator with user permission: User’s admin session will not be created on the first login. Additionally, the administrator will not be redirected to IDP on access to the administration console. Note: Use this only when the user already exists in the system or knows their account’s password.
  •  Redirect to IDP to access Admin functions:  User’s admin session will be created on the first login. Also, the user will always be redirected to IDP on the access of the admin console. Note: Please enable backdoor URL option and copy backdoor URLs mentioned above to login just in case a lock out situation occurs.