SAML SSO for Jira Data Center applications
Security Assertion Markup Language (SAML) is an XML-based data format that allows a service to exchange authorization data with an identity provider (IdP). The most common use case is allowing a user to sign in to multiple software applications using the same authentication details, usually a username and password. This is referred to as single sign-on (SSO).
We provide the functionality for Jira Software Data Center and Jira Service Management Data Center applications to connect to your IdP so that you can provide your users with an SSO experience. This only handles authentication. Application access and any required authorizations, such as ensuring that users belong to the appropriate groups/roles and have the necessary permissions, should be configured in the user directory and/or the application itself.
Looking for a cross-domain SSO solution?
Crowd Data Center 3.4 with its Crowd SSO 2.0 feature offers one solution for authenticating to Server and Data Center applications, and setting it up takes only minutes. Are you are ready for the change? See Crowd SSO 2.0.
Setting up single sign-on
You'll need to configure your application and your IdP to provide single sign-on for your users.
Supported Identity Providers
SAML single sign-on should work with any identity provider implementing the SAML 2.0 Web Browser SSO Profile, using the HTTP POST binding.
We currently perform tests with the following identity providers:
Setting up SSL/TLS
Once set up, you need to make sure that the application's configured base URL is using the HTTPS protocol.
Setting up SSL/TLS using a reverse proxy
If you want to use a reverse proxy, please refer to these product specific documents, describing the exact configuration steps:
- Proxying Atlassian server applications with Apache HTTP Server (mod_proxy_http)
- Integrating Jira with Apache using SSL
- Securing your Atlassian applications with Apache using SSL
When using a reverse proxy that terminates SSL/TLS, you need to make sure that the request URL the application server sees matches the fully-qualified domain name for the reverse proxy. This is usually achieved by configuring the <Connector> directive with the appropriate proxyName, proxyPort, secure and scheme settings. Please check the documentation above for specific examples.
Setting up your Identity Provider
If you want your application to provide SSO, you'll need to add it to your IdP. The exact process varies depending on the IdP, but you'll usually need to:
- Define an 'application' in your IdP
- Provide some data about the application, including data you can access on your application's Authentication screen
- Make sure the NameID attribute of the users in your IdP is set to the username in your Atlassian application
- Give the appropriate users permission to use the application
At the end of the setup process your IdP will provide you with a set of data that you'll need to configure your Atlassian application.
Configuring SAML Authentication in your Atlassian application
- Navigate to the SAML Authentication screen by selecting Administration () > System > SAML Authentication.
- Select SAML single sign-on.
Configure the following settings:
Setting Notes Single sign-on issuer
This value is provided by your IdP, as part of setting up SAML. It's sometimes also called 'Entity ID'
The issuer is the IdP your application will be accepting authentication requests from
Identity provider single sign-on URL
This value is provided by your IdP, as part of setting up SAML.
It defines the URL your users will be redirected when logging in.
X.509 Certificate
This value is provided by your IdP, as part of setting up SAML. This is sometimes referred to as a 'Signing certificate'. The key usually starts with '-----BEGIN CERTIFICATE-----'.
This contains the public key we'll use to verify that all received SAML authentication requests have been issued by your IdP.
Login mode
This defines how your users can use single-sign on. The options are:
- Use SAML as secondary authentication – the default way to log in will be the standard application login form. You can log in using SAML if you go to your IdP and select your application, or by using the this URL to log in: BASE-URL/plugins/servlet/external-login. We recommended this method so you can test that everything is configured correctly, and that users can log in using SSO.
- Use SAML as primary authentication – in this mode, all browser-based users will be redirected from the application's login screen to the IdP to log in. It's still possible to authenticate by:
- Basic Auth
- Form-based auth via dedicated REST endpoint
- Existing Remember Me tokens
You should only enable this mode once you've verified that SAML authentication is working as expected.
Remember user logins When checked, successful user logins will be remembered in the user's browser. When browsing to their application, users will be logged in automatically without having to authenticate again using SAML. (Jira Service Desk only) When checked, all login requests from your Jira Service Management customers using the customer portal will be redirected to the configured IdP. If not selected, customers must log in through the customer portal.
The following information is provided on the Authentication screen, and will be required to configure your IdP:
Setting name Notes Assertion Consumer Service URL This is the URL the IdP will return SAML authentication requests to.
Audience URL (Entity ID) This is the URL the IdP will prepare SAML authentication requests for.
- Click Save configuration.
Once you've configured both your application and your IdP, you're ready to start using SSO.
Best practices
- SAML authentication requests are only valid for a limited time. You should make sure the clocks on the server running your application/s and the IdP are synchronised.
- If users and groups in your application are configured using User Directories, you'll usually want to use the same LDAP directory to be the source of users for both your IdP and Atlassian application. Users need to exist in the user directory before they can log in using SSO.
Troubleshooting
If you make a mistake configuring the SAML authentication, or are unable to log in using your IdP, you can restore login form authentication by using issuing a DELETE request (using a username and password for an administrator configured in your user directory):
curl -u admin_user:admin_password -X DELETE http://base-url/product/rest/authconfig/1.0/saml
- If an authentication error occurs, the user will only see basic details about what went wrong. For security reasons, the details about the underlying problem are not shown. You'll need to check the application logs to see the cause of the problem.
- In some cases you might also experience errors shown by your IdP. For those you will need to use the support and tools provided by your IdP, rather than Atlassian support.
- When using SAML as primary authentication and you have CAPTCHA enabled in the application, users that use HTTP basic authentication (for example in REST resource calls) may get locked out if they enter an incorrect password too many times. In these cases, an administrator will need to reset the user's CAPTCHA in the user list screen.