Using multiple identity providers
You can configure multiple identity providers (IdPs) in SAML and OpenID Connect configuration for Atlassian Data Center products such as Jira and Bitbucket.
By default, your Atlassian product offers a standard username/password login form. In Jira and Bitbucket, you can also provide your users with a single sign-on (SSO) authentication. You can decide which authentication methods will be available to your users. You can mix the default login form with multiple SSO methods.
If one SSO authentication method is configured, your users will be redirected to that method for authentication. Once you enable more than one authentication method, users will see a login page with different login options.
Before you begin
Using multiple identity providers is a native feature in:
Jira 8.16 or later
Bitbucket 7.12 or later
- Bamboo 8.1 or later
- Confluence 7.16 or later
If you use earlier versions of these products, you can still get this feature by installing the SSO for Atlassian Data Center app from Atlassian Marketplace or upgrading the bundled version. Make sure your product and version are listed as supported.
You must be an admin to add new IdPs and modify existing ones.
Be aware that when working with multiple IdPs you can run into username conflicts - a situation where the same username (not necessarily the same person) exists in more than one IdP. To avoid this, make sure that your usernames are unique across the IdPs you work with.
For security reasons, it’s recommended to keep no more than 5 IdP login options, especially on public instances.
To add a new login method
Go to administration options for your product:
In Jira, select Administration
> System > Authentication methods (in earlier versions named SSO 2.0).- In Bitbucket, select Administration > Accounts > Authentication methods (in earlier versions named SSO 2.0).
Select Add configuration.
Give your configuration a meaningful name and select the authentication method from the menu.
Complete the configuration form.
For a detailed description of different fields, see:For OpenID Connect, Setting up OpenID Connect single sign-on.
For SAML single sign-on, SAML single sign-on for Atlassian Data Center applications
Select Save configuration.
The new authentication method is now available to users in your environment.(Optional) Test your configuration.
Next to the login option you just added, right-click Actions > Test sign-in and open in a private browser window. Note that the login method must be enabled.
Log in with your account, using the authentication method you are testing.
You are successfully logged in to the product.
Once you've added a single sign-on configuration method to your environment, we advise you to disable the basic authentication option, which is less secure. See Disabling basic authentication.
To disable a login method
Go to administration options for your product:
- In Jira, select Administration > System > Authentication methods (in earlier versions named SSO 2.0).
- In Bitbucket, select Administration > Accounts > Authentication methods (in earlier versions named SSO 2.0).
- In Jira, select Administration
Next to the login option, you want to disable and toggle off the Enabled option.
The selected login method is disabled. Users won’t see it on the login page and won’t be able to authenticate with it even if they use the direct URL to the IdP login page.
To remove a login method
Go to administration options for your product:
- In Jira, select Administration > System > Authentication methods (in earlier versions named SSO 2.0).
- In Bitbucket, select Administration > Accounts > Authentication methods (in earlier versions named SSO 2.0).
- In Jira, select Administration
Next to the login option you want to remove, select Actions > Delete.
The selected login method is disabled and removed from the list of available authentication methods.