How to integrate Keycloak with Atlassian SAML SSO 2.0
Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.
This article will explain how to integrate Keycloak SAML provider with Atlassian SAML SSO 2.0.
After installation of Keycloak, and setup of Admin Console on http://127.0.0.1:9990, we should proceed to Keycloak Server console http://127.0.0.1:8080/auth. There we will need to set up the initial user (eg. user1), then login to Keycloak. Once that is done we have a working Keycloak instance.
Atlassian Support can't provide assistance with configuring third-party tools like Keycloak. If you have questions, check the Keycloak documentation, ask the Atlassian Community, or get help from a Solution Partner.
At this point, we want to retrieve metadata from our Keycloak instance, which we will use in the Atlassian SAML app, by clicking on "SAML 2.0 identity provider metadata".
On the new page http://127.0.0.1:8080/auth/realms/master/protocol/saml/descriptor we will see information about entityID, X509Certificate, and Location
We will use this data to update SAML configuration in Atlassian products:
Then we will record data from the Confluence side, EntityID, and Assertion Consumer Service URL to add it on the Client side:
At this point, we will also need to create our user - user1 in the Atlassian product. This user can come from any directory, and it can even be provisioned on the first login.
On the Keycloak side, we will create a new client, where we will specify EntityID as ClientID and for protocol, we will use SAML:
After saving, we want to check all switches, and verify that Valid Redirect URIs and Master SAML Processing URL are set correctly as per the Atlassian SAML page:
After saving the configuration we can proceed and test our login at http://localhost:6747/c747/plugins/servlet/external-login
If you receive an error message like the below after logging, check if the user exists in the Atlassian application, and if it has the right permissions to view the content:
If that does not help, inspect the Atlassian logs for that product for the exact error.