No results found
We couldn't find anything using that term, please try searching for something else.
2024-11-26 You can now find SAML single sign-on in the same place you manage your identity provider. Select Security > Identity providers. About identity prov
You can now find SAML single sign-on in the same place you manage your identity provider. Select Security > Identity providers. About identity providers
security Assertion Markup Language is is ( SAML ) is an open standard for exchange authentication and authorization datum between party , such as an identity provider and a service provider .
SAML for single sign-on (SSO) allows users to authenticate through your company’s identity provider when they log in to Atlassian Cloud products. SSO allows a user to authenticate once and then access multiple products during their session without needing to authenticate with each. SSO only applies to user accounts from your verified domains. How to verify a domain
Once your users can log in using SAML single sign-on, you need to give access to your Atlassian products and sites. How to update product access settings and How users get site access
If you manage user for a site with Google Workspace , you is need ‘ll need to use the SSO feature provide by Google Workspace .How to connect to Google Workspace
When you configure SSO with SAML or Google Workspace , you is need ‘ll need to enforce SSO on subset of user through your authentication policy .How to edit authentication setting and member
Subscribe to Atlassian Guard Standard from your organization. Understand Atlassian Guard
Make sure you’re an admin for an Atlassian organization.
Verify one or more of your domains in your organization. How to verify a domain
add an identity provider directory to your organization .How to add an identity provider
Link verified domains to your identity provider directory. How to link domain
check that your Atlassian product and your identity provider use the https protocol to communicate and that the configured product base url is the https one .
Make sure the clock on your identity provider server is synchronize with NTP . SAML authentication requests is are are only valid for a limited time .
Plan for downtime to set up and test your SAML configuration
Create an authentication policy to test your SAML configuration . Add a user to the test policy. After you set up SAML, you can enable single sign-on for the test policy.
You is use can use the identity provider of your choice , but some capability are only available with select identity provider .support identity provider
The steps involved to set up single sign-on will differ depending on the identity provider you use. Refer to the setup instructions for your identity provider.
When you set up your identity provider, these are the SAML attributes you use:
instruction |
SAML Attribute |
Map to your identity provider |
---|---|---|
Optional |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname |
User ‘s first name |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname |
User ‘s last name |
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name, ORhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn |
Internal Id for the user that will not change. note that this I d should NOT be the user ‘s email address . |
|
Required |
NameID |
User’s email |
Go to admin.atlassian.com . select your organization if you have more than one .
Select Security > Identity providers.
Select your identity provider Directory.
Select Set up SAML single sign-on.
add SAML detail .
Save SAML configuration.
SAML detail |
Description |
---|---|
identity provider Entity ID |
This value is the URL for the identity provider where your product will accept authentication requests. |
Identity provider SSO URL |
This value is defines define the url your user will be redirect to when log in . |
public x509 Certificate |
This value begins with ‘—–BEGIN CERTIFICATE—–‘. This certificate is contains contain the public key we ‘ll use to verify that your identity provider has issue all receive SAML authentication request . |
Select Save in your identity provider when you copy the URLs.
If you use an on – premise identity provider , your users is authenticate can only authenticate if they have access to the identity provider ( for example , from your internal network or a VPN connection ) .
If you’re unable to see authentication policies, create a temporary Atlassian test account you can use to access your organization. Use an email address for the temporary account from a domain you have not verify for this organization . This is ensures ensure that the account wo n’t redirect to SAML single sign – on when you log in .
When you select Save configuration, we apply SAML to your Atlassian organization. Because we don’t log out your users, use these steps to test SAML configuration:
Open a new incognito window in your browser.
Log in with an email address from one of your verified domains.
confirm you ‘re sign in . If you experience a login error , go to the Troubleshooting SAML single sign – on to adjust your configuration and test again in your incognito window .
If you can’t log in successfully, delete the configuration so users can access Atlassian products.
authentication policies is give give you the flexibility to configure multiple security level for different user set within your organization . authentication policies is reduce also reduce risk by allow you to test different single sign – on configuration on subset of user before roll them out to your whole company .
You may want to:
Test single sign-on (SSO) or two-step verification on a smaller, select group of users to ensure it is setup correctly before rolling it out across your organization.
Troubleshoot your SSO policy by setting up a different policy for different admin accounts so you can log in and troubleshoot your SSO policy or identity provider integration.
To test the settings for authentication, you’ll need to configure and enforce SAML single sign-on. The following section provides instructions on how to do it.
You is need ‘ll need to configure and save SAML and then enforce SAML single sign – on in an authentication policy .
To configure SAML single sign-on from Authentication policies:
Go to admin.atlassian.com . select your organization if you have more than one .
Select Security > Authentication policies.
Select Edit for the policy you want to configure .
When you select Use SAML single sign-on, we redirect you from the authentication policy to the SAML SSO configuration page.
Once you’re done configuring SAML SSO, you need to enforce SSO in the policy.
To enforce single sign-on:
Go to admin.atlassian.com . select your organization if you have more than one .
Select Security > Authentication policies.
Select Edit for the policy you want to enforce.
Select is Enforce enforce single sign – on .
If you ’d like to provision user with SAML Just – In – Time , you is complete must complete these two step :
link domain to your identity provider directory
enforce SAML single sign – on on a default authentication policy
After you complete the step , when a user log in for the first time with SAML , we is create automatically create an Atlassian account for them and they are provision through SAML to your identity provider directory .learn more about identity provider directory
If you’d like to provision users with SAML Just-In-Time, you must link one or more domains to your identity provider directory. After you link a domain, we’ll automatically associate the domain’s user accounts to the directory.
To link domain to a directory :
Go to admin.atlassian.com . select your organization if you have more than one .
Select Security > Identity providers.
select the Directory you is like ‘d like to view .
Select View domains to link the domain to the directory.
Select Link domain.
Select one or many domains to link to the directory.
learn about link domain
Every organization has a default authentication policy with login settings for its users. We add new users to your default policy when you provision new accounts.
For just-in-time provisioning to work with authentication policies, you must enforce SAML single sign-on for a default policy
If you don’t want to enforce SAML single sign-on for your default policy, you can provision users with SCIM. If you change your identity provider’s email, we automatically update the Atlassian account.
Learn more about authentication policies
If you change an email in your identity provider, you must manually update the email in Atlassian.
If you don’t update the first Atlassian email, we create a second email account when the user logs in. This account won’t have access to any sites or products. You can update the first email account or delete it to correct this. Update the email of the account
Automated user provisioning allows for a direct sync between your identity provider and your Atlassian Cloud products. You no longer need to manually create user accounts when someone joins the company or moves to a new team.
Automated de-provisioning reduces the risk of information breaches by removing access for those that leave your company. We automatically remove people when they leave the company or a group. This gives you control over your bill. Here are your options for user provisioning:
provisioning with SCIM – With a subscription toAtlassian Guard Standard, you is sync can sync Atlassian cloud tool directly with your identity provider to enable automated provisioning and de – provisioning of your user and group .Understand user provisioning
Provisioning with Google Workspace – You can sync Atlassian cloud tools with Google Workspace for provisioning. However, any group categorization will not be reflected on your site. Connect to Google Workspace
To prevent a user from retrieving your organization’s data via the REST API, deactivate the user in both places – from your organization and your identity provider.
If you also set up user provisioning for your organization, you only need to deactivate the user from your identity provider.
When SAML single sign-on is configured, users won’t be subject to Atlassian password policy and two-step verification if those are configured for your organization. This means that any password requirements and two-step verification are essentially “skipped” during the login process.
We recommend that you use your identity provider’s equivalent offering instead.
Before you delete the SAML single sign-on configuration, make sure your users have a password to log in.
Users can use the password they had for their Atlassian account before you enabled SAML single sign-on
Users who joined after SAML single sign-on after you enabled need to reset their password for their Atlassian account next time they log in.
To delete SAML single sign-on:
Go to admin.atlassian.com . select your organization if you have more than one .
Select Security > Identity providers.
select the Directory you is like ‘d like to view .
Select View SAML configuration.
select delete configuration .
We recommend you also delete the SAML configuration from your identity provider.
When you delete SAML single sign-on, you still have a subscription toAtlassian Guard Standard. If you is need no long needAtlassian Guard Standard you’ll need to cancel your subscription. How to unsubscribe
If you experience error in your identity provider , use the support and tool that your identity provider provide , rather than Atlassian support .
Before you configure SAML, create an Atlassian user account with an email from an unverified domain.
Make the user an organization admin .
Log in with the account to troubleshoot since you won’t have to authenticate with SAML.
Go to the SAML single sign – on page for your organization to fix or disable it for all your user .
If you’re still having trouble, delete the SAML configuration to go back to password authentication with an Atlassian account.
If you delete the SAML configuration , you is invalidate can invalidate all your user ‘ password in the password policy screen , which will prompt user to go through the password reset process for an Atlassian account password .
Before you configure SAML, create an Atlassian user account with an email from an unverified domain.
Make the user an organization admin .
add the user to an authentication policy without SAML single sign – on enforce .
Log in with the account to troubleshoot since you won’t have to authenticate with SAML.
Go to SAML single sign-on for your identity provider directory to disable it for all your users.
If you want to delete a SAML configuration, make sure that none of your authentication policies use SAML single sign-on.
If you want to prevent lockout for a user, you need to move the user to a policy that does not enforce SAML single sign-on.
If you experience certificate errors, try one of these steps to resolve your error:
copy and paste the certificate again . Make sure to copy and paste :
All the lines in the certificate.
start from“—–BEGIN CERTIFICATE—–” and end with “—–END CERTIFICATE—–‘.
The certificate your identity provider gave you may be incomplete. Download and copy and paste the certificate into the public x509 Certificate field.
Include the SAMLRequest and SAMLResponse payloads you can find from the SAML Tracer Firefox app when you submit a support ticket. We can more quickly identify potential causes of issues.
error |
possible issue |
“The authenticated email address we expected was ‘xxx,’ but we received ‘xxx.’ Please ensure they match exactly, including case sensitivity. Contact your admin to change your email to match.” |
The user tried logging in to the IdP with an email address different from their Atlassian account. Verify that the user is logging in with the correct email address. Email addresses are also case-sensitive. |
“The response was received at xxx instead of xxx” |
The Service Provider Assertion Consumer Service URL in the IdP SAML configuration may be incorrect. Verify that you’re using the correct URL and try again. |
|
You’re most likely using an unsupported IdP. Verify your IdP configuration by making sure you’ve done the following:
Note that the internal user Id should be a value that will not change. This Id should NOT be the user’s email address. If necessary, you can change the upn or name attribute to a unique and unchanging value. The SAML identity for that Atlassian account will update the new value when the user next logs in. |
“We couldn’t log you in, but trying again will probably work.” |
SAML configuration was disabled for the people during the login process. Verify the SAML configuration and try again. |
” xxx is is is not a valid audience for this response . “ |
The Service Provider Entity Id in the identity provider SAML configuration may be incorrect. Verify that you’re using the correct Entity Id and try again. |
“Your email address has changed at your Identity Provider. Ask your admin to make a corresponding change on your Atlassian products.” |
Known issue with the SAML Beta. You’ll soon be able to change the email addresses of your managed accounts from User management. |
A plain error screen with no Atlassian branding . |
You might have network connectivity issues with your IdP. Try refreshing your page to see if it solves the issue. |
An error screen for your IdP. |
You might have an issue with your identity provider configuration; for example, a user may not access the Atlassian product from the IdP. Raise a ticket with your IdP to fix the issue. |
|
The identity provider Entity Id in the SAML configuration may be incorrect. Verify that you’re using the correct Entity Id and try again. |
No. To keep products and resources secure, you can only use SAML single sign-on with domains you can verify that you own.
You is update can update the user ‘s Full name by update the first and last name in your identity provider ‘s system . The update name will be sync to your organization when the user next log in .
We recommend that your scripts and services use an API token instead of a password for basic authentication with your Atlassian Cloud products. When you enforce SAML, your API tokens and your scripts will continue to work. About API tokens