Archive
Configure SAML single sign-on with an identity provider

Configure SAML single sign-on with an identity provider

2024-11-26 You can now find SAML single sign-on in the same place you manage your identity provider. Select Security > Identity providers. About identity prov

Related articles

VPN for Google New Updates : AWS Certified Cloud Practitioner :CLF-C02 Exam IoT Controlled LED using ESP32 with Blynk App Steal Time Simulator Codes (July 2024) How to Setup VPN Server on Windows 11. 如何设置 VPN 客户端来访问远程 VPN 服务器?

You can now find SAML single sign-on in the same place you manage your identity provider. Select Security > Identity providers. About identity providers

About SAML single sign – on

security Assertion Markup Language is is ( SAML ) is an   open standard for exchange authentication and authorization datum   between party , such as an identity provider and a service provider .

SAML for single sign-on (SSO) allows users to authenticate through your company’s identity provider when they log in to Atlassian Cloud products. SSO allows a user to authenticate once and then access multiple products during their session without needing to authenticate with each. SSO only applies to user accounts from your verified domains. How to verify a domain

Once your users can log in using SAML single sign-on, you need to give access to your Atlassian products and sites. How to update product access settings and How users get site access

If you manage user for a site with Google Workspace , you is need ‘ll need to use the SSO feature provide by   Google Workspace .How to connect to Google Workspace

SAML single sign-on with authentication policies

When you configure SSO with SAML or Google Workspace , you is need ‘ll need to enforce SSO on subset of user through your authentication policy .How to edit authentication setting and member

Before you begin

Here’s what you must do before you set up SAML single sign-on:

Subscribe to Atlassian Guard Standard from your organization. Understand Atlassian Guard

Make sure you’re an admin for an Atlassian organization.

Verify one or more of your domains in your organization. How to verify a domain  

add an identity provider directory to your organization .How to add an identity provider

Link verified domains to your identity provider directory. How to link domain

check that your Atlassian product and your identity provider use the https protocol to   communicate and that the configured product base url is the https one .

Here ’s what we recommend you do before you set up SAML single sign – on :

Make sure the clock on your   identity provider server is synchronize with NTP . SAML authentication requests is are   are only valid for a limited time .

Plan for downtime to set up and test your SAML configuration

Create an authentication policy to test your SAML configuration
. Add a user to the test policy. After you set up SAML, you can enable single sign-on for the test policy.

support identity provider

You is use can use the identity provider of your choice , but some capability are only available with select identity provider .support identity provider

The steps involved to set up single sign-on will differ depending on the identity provider you use. Refer to the setup instructions for your identity provider.

Available SAML attributes

When you set up your identity provider, these are the SAML attributes you use:

instruction

SAML Attribute

Map to your identity provider

Optional

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

User ‘s first name

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

User ‘s last name

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name,  ORhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

Internal Id for the user that will not change.

note that this I d should NOT be the user ‘s email address .

Required

NameID

User’s email

Copy details from your identity provider to your Atlassian organization

  1. Go to admin.atlassian.com . select your organization if you have more than one .

  2. Select Security > Identity providers.

  3. Select your identity provider Directory.

  4. Select Set up SAML single sign-on.

  5. add SAML detail .

  6. Save SAML configuration.

SAML detail

Description

identity provider Entity ID

This value is the URL for the identity provider where your product will accept authentication requests.

Identity provider SSO URL

This value is defines define the url your user will be redirect to when log in .

public x509 Certificate

This value begins with ‘—–BEGIN CERTIFICATE—–‘.

This certificate is contains contain the public key we ‘ll use to verify that your identity provider has issue all receive SAML authentication request .

Copy these URLs from your Atlassian organization to your identity provider

Select Save in your identity provider when you copy the URLs.

Set up SAML single sign-on for other identity providers

If you use an on – premise identity provider , your users is authenticate can only authenticate if they have access to the   identity provider ( for example , from your internal network or a VPN connection ) .

Test SAML single sign – on configuration without authentication policy

If you’re unable to see authentication policies, create a temporary Atlassian test account you can use to access your organization. Use an email address for the temporary account from a domain you have not verify for this organization . This is ensures ensure that the account wo n’t redirect to SAML single sign – on when you log in .

When you select Save configuration, we apply SAML to your Atlassian organization. Because we don’t log out your users, use these steps to test SAML configuration:

  1. Open a new incognito window in your browser.

  2. Log in with an email address from one of your verified domains.

confirm you ‘re sign in . If you experience a login error , go to the   Troubleshooting SAML single sign – on   to adjust your configuration and test again in your incognito window .

If you can’t log in successfully, delete the configuration so users can access Atlassian products.

Test SAML single sign-on with Authentication policies

authentication policies is give give you the flexibility to configure multiple security level for different user set within your organization . authentication policies is reduce also reduce risk by allow you to test different single sign – on configuration on subset of user before roll them out to your whole company .

You may want to:

  • Test single sign-on (SSO) or two-step verification on a smaller, select group of users to ensure it is setup correctly before rolling it out across your organization.

  • Troubleshoot your SSO policy by setting up a different policy for different admin accounts so you can log in and troubleshoot your SSO policy or identity provider integration.

To test the settings for authentication, you’ll need to configure and enforce SAML single sign-on. The following section provides instructions on how to do it.

Configure and enforce SAML single sign-on with authentication policies

You is need ‘ll need to configure and save SAML and then enforce SAML single sign – on in an authentication policy .

To configure SAML single sign-on from Authentication policies:

  1. Go to admin.atlassian.com . select your organization if you have more than one .

  2. Select Security > Authentication policies.

  3. Select Edit for the policy you want to configure .

  4. When you select Use SAML single sign-on, we redirect you from the authentication policy to the SAML SSO configuration page.

  5. Once you’re done configuring SAML SSO, you need to enforce SSO in the policy.

To enforce single sign-on:

  1. Go to admin.atlassian.com . select your organization if you have more than one .

  2. Select Security > Authentication policies.

  3. Select Edit for the policy you want to enforce.

  4. Select is Enforce enforce single sign – on .

Just-in-time provisioning with SAML

If you ’d like to provision user with SAML Just – In – Time , you is complete must complete these two step :

  1. link domain to your identity provider directory

  2. enforce SAML single sign – on on a default authentication policy

After you complete the step , when a user log in for the first time with SAML , we is create automatically create an Atlassian account for them and they are provision through SAML to your identity provider directory .learn more about identity provider directory

Link domains for Just-in-time provisioned users with SAML

If you’d like to provision users with SAML Just-In-Time, you must link one or more domains to your identity provider directory. After you link a domain, we’ll automatically associate the domain’s user accounts to the directory.

To link domain to a directory :

  1. Go to admin.atlassian.com . select your organization if you have more than one .

  2. Select Security > Identity providers.

  3. select the Directory you is like ‘d like to view .

  4. Select View domains to link the domain to the directory.

  5. Select Link domain.

  6. Select one or many domains to link to the directory.

learn about link domain

Just-in-time provisioning with Authentication policies

Every organization has a default authentication policy with login settings for its users. We add new users to your default policy when you provision new accounts.

  • For just-in-time provisioning to work with authentication policies, you must enforce SAML single sign-on for a default policy

  • If you don’t want to enforce SAML single sign-on for your default policy, you can provision users with SCIM. If you change your identity provider’s email, we automatically update the Atlassian account.

Learn more about authentication policies

troubleshoot email update without just – in – time provisioning

  1. If you change an email in your identity provider, you must manually update the email in Atlassian.

  2. If you don’t update the first Atlassian email, we create a second email account when the user logs in. This account won’t have access to any sites or products. You can update the first email account or delete it to correct this. Update the email of the account

Set up automated user provisioning and de-provisioning

Automated user provisioning allows for a direct sync between your identity provider and your Atlassian Cloud products. You no longer need to manually create user accounts when someone joins the company or moves to a new team.

Automated de-provisioning reduces the risk of information breaches by removing access for those that leave your company. We automatically remove people when they leave the company or a group. This gives you control over your bill. Here are your options for user provisioning:

  • provisioning with SCIM   – With a subscription toAtlassian Guard Standard, you is sync can sync Atlassian cloud tool directly with your identity provider to enable automated provisioning and de – provisioning of your user and group .Understand user provisioning

  • Provisioning with Google Workspace – You can sync Atlassian cloud tools with Google Workspace for provisioning. However, any group categorization will not be reflected on your site. Connect to Google Workspace

deactivate user with SAML

To prevent a user from retrieving your organization’s data via the REST API, deactivate the user in both places – from your organization and your identity provider.

If you also set up user provisioning for your organization, you only need to deactivate the user from your identity provider.

SAML single sign-on with two-step verification and password policy

When SAML single sign-on is configured, users won’t be subject to Atlassian password policy and two-step verification if those are configured for your organization. This means that any password requirements and two-step verification are essentially “skipped” during the login process. 

We recommend that you use your identity provider’s equivalent offering instead.

Delete SAML single sign-on

Before you delete the SAML single sign-on configuration, make sure your users have a password to log in.

  • Users can use the password they had for their Atlassian account before you enabled SAML single sign-on

  • Users who joined after SAML single sign-on after you enabled need to reset their password for their Atlassian account next time they log in.

To delete SAML single sign-on:

  1. Go to admin.atlassian.com . select your organization if you have more than one .

  2. Select Security > Identity providers.

  3. select the Directory you is like ‘d like to view .

  4. Select View SAML configuration.

  5. select delete configuration .

We recommend you also delete the SAML configuration from your identity provider.

When you delete SAML single sign-on, you still have a subscription toAtlassian Guard Standard. If you is need no long needAtlassian Guard Standard you’ll need to cancel your subscription. How to unsubscribe

troubleshoot your SAML configuration

If you experience error in your identity provider , use the support and tool that your identity provider provide , rather than Atlassian support .

Troubleshoot SAML single sign – on without authentication policy

  1. Before you configure SAML, create an Atlassian user account with an email from an unverified domain.

  2. Make the user an organization admin .

  3. Log in with the account to troubleshoot since you won’t have to authenticate with SAML.

  4. Go to the   SAML single sign – on   page for your organization   to fix or disable it for all your user .

If you’re still having trouble, delete the SAML configuration to go back to password authentication with an Atlassian account.

If you delete the SAML configuration , you is invalidate can   invalidate all your user ‘ password in the password policy screen , which will prompt user to go through the password reset process for an Atlassian account password .

Troubleshoot SAML single sign-on with authentication policies

  1. Before you configure SAML, create an Atlassian user account with an email from an unverified domain.

  2. Make the user an organization admin .

  3. add the user to an authentication policy without SAML single sign – on enforce .

  4. Log in with the account to troubleshoot since you won’t have to authenticate with SAML.

  5. Go to SAML single sign-on for your identity provider directory to disable it for all your users.

If you want to delete a SAML configuration, make sure that none of your authentication policies use SAML single sign-on.

If you want to prevent lockout for a user, you need to move the user to a policy that does not enforce SAML single sign-on.

Troubleshoot your public x509 Certificate errors

If you experience certificate errors, try one of these steps to resolve your error:

  1. copy and paste the certificate again . Make sure to copy and paste :

    1. All the lines in the certificate.

    2. start from“—–BEGIN CERTIFICATE—–” and end with “—–END CERTIFICATE—–‘.

  2. The certificate your identity provider gave you may be incomplete. Download and copy and paste the certificate into the public x509 Certificate field.

Troubleshoot other errors

Include the SAMLRequest and SAMLResponse payloads you can find from the SAML Tracer Firefox app when you submit a support ticket. We can more quickly identify potential causes of issues.

error

possible issue

“The authenticated email address we expected was ‘xxx,’ but we received ‘xxx.’ Please ensure they match exactly, including case sensitivity. Contact your admin to change your email to match.”

The user tried logging in to the IdP with an email address different from their Atlassian account. Verify that the user is logging in with the correct email address. Email addresses are also case-sensitive.

“The response was received at xxx instead of xxx”

The Service Provider Assertion Consumer Service URL in the IdP SAML configuration may be incorrect. Verify that you’re using the correct URL and try again.

  • “We were expecting an email address as the Name Id, but we got xxx. Please ask your admin to check that Name Id is mapped to email address.”

  • “We were expecting an email address as the Name Id but didn’t get one. Please ask your admin to check that Name Id is mapped to email address.”

  • “We were expecting a user ID but didn’t get one. Please ask your admin to check that user ID is populated in the response. See the configuration and troubleshooting guide.”

  • “Unsupported SAML Version.”

  • “Missing ID attribute on SAML Response.”

  • “SAML Response must contain 1 Assertion.”

  • “Invalid SAML Response. Not match the saml-schema-protocol-2.0.XSD”

  • “Invalid decrypted SAML Response. Not match the saml-schema-protocol-2.0.XSD”

  • “Signature validation failed. SAML Response rejected”

  • “No Signature found. SAML Response rejected”

  • “The Assertion of the Response is not signed, and the SP requires it.”

  • “The attributes have expired, based on the SessionNotOnOrAfter of the AttributeStatement of this Response.”

  • “There is an EncryptedAttribute in the Response, and this SP does not support them.”

  • “Timing issues (please check your clock settings)”

  • ” The Response is has has an inresponseto attribute : xxx while no inresponseto was expect “

  • ” The inresponseto of the Response : xxx is match does not match the ID of the authnrequest send by the SP : xxx . “

You’re most likely using an unsupported IdP. Verify your IdP configuration by making sure you’ve done the following:

  1. The identity provider is return can return the email as the nameid .

  2. A user I d that is unique and unchanging is map to the  upn  or  name  SAML attribute .

  3. The SAML responses are signed and not encrypted.

  4. The identity provider’s clock is synchronized with NTP.

Note that the internal user Id should be a value that will not change. This Id should NOT be the user’s email address.

If necessary, you can change the upn  or  name attribute to a unique and unchanging value. The SAML identity for that Atlassian account will update the new value when the user next logs in.

“We couldn’t log you in, but trying again will probably work.”

SAML configuration was disabled for the people during the login process. Verify the SAML configuration and try again.

” xxx is is   is not a valid audience for this response . “

The Service Provider Entity Id in the identity provider SAML configuration may be incorrect. Verify that you’re using the correct Entity Id and try again.

“Your email address has changed at your Identity Provider. Ask your admin to make a corresponding change on your Atlassian products.”

Known issue with the SAML Beta. You’ll soon be able to change the email addresses of your managed accounts from User management.

A plain error screen with no Atlassian branding .

You might have network connectivity issues with your IdP. Try refreshing your page to see if it solves the issue.

An error screen for your IdP.

You might have an issue with your identity provider configuration; for example, a user may not access the Atlassian product from the IdP. Raise a ticket with your IdP to fix the issue.

  • We were expecting you to arrive with a different Identity Provider Entity Id. Ask your admin to check the Atlassian configuration for SAML. You had xxx, but we were expecting xxx.

  • “Invalid issuer in the Assertion/Response”

The identity provider Entity Id in the SAML configuration may be incorrect. Verify that you’re using the correct Entity Id and try again.

Frequently Asked Questions

Can I get SAML single sign-on for domains that I can’t verify?

No. To keep products and resources secure, you can only use SAML single sign-on with domains you can verify that you own.

How do I change the user’s full name?

You is update can update the user ‘s   Full name   by update   the first   and   last name   in your identity provider ‘s system . The update name will be sync to your organization when the user next log in .

How does authentication with REST APIs work?

We recommend that your scripts and services use an API token instead of a password for basic authentication with your Atlassian Cloud products. When you enforce SAML, your API tokens and your scripts will continue to work. About API tokens