-
Suggestion
-
Resolution: Fixed
-
None
SAML single sign-on is available as part of Identity Manager. More information about Identity Manager.
Read up on how to configure SAML single sign-on for our Cloud products.
Thanks for all of your feedback and discussion on this ticket. We'll continue to monitor and respond to it, as well as take on board your requests for future enhancements.
We receive a lot of requests for new features and improvements, so if you'd like to better understand how we make roadmap decisions, please read: https://confluence.atlassian.com/display/DEV/Implementation+of+New+Features+Policy
- incorporates
-
- Closed
- is blocked by
-
- Closed
-
- Closed
- is cloned from
-
- Closed
- is duplicated by
-
- Closed
- is related to
-
- Closed
-
- Closed
-
CEO-1001 Loading...
- mentioned in
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
[ID-80] Support SAML integration with Cloud apps
I have SSO working with AD FS 2.0
Hopefully these update screenshots will help - it looks like things have changed since the post in Dec 2016.
Enter on Atlassian side
Identity provider Entity ID:
http://adfs-server.domain.com/adfs/services/trust
Identity provider SSO URL:
https://adfs-server.domain.com/adfs/ls/
Public x509 certificate:
Export your Token-signing certificate as base 64 (how to get from AD FS 2.0 console: AD FS 2.0 -> Service -> Certificates)
Enter on AD FS 2.0 side
There are only 2 tabs that you need to populate with information - Identifiers and Endpoints but I've included screenshots for everything.
Edit: looks like I can't upload new screenshots.
In short, I used these values:
Identifiers tab:
Relying party identifier: SP Entity ID from sso config page on admin.atlassian.com
(eg: https://auth.atlassian.com/saml/hex-string)
Endpoints Tab: SAML Assertion Consumer Endpoint: SP Assertion Consumer Service URL from sso config page on admin.atlassian.com (eg: https://auth.atlassian.com/login/callback?connection=saml-hex-string)
Advanced Tab: [default - SHA-265]
Don't forget about the claims rules (see screenshot from Dec 2016 post)
Claim rules are the same as the earlier post:
Saiful Islam
added a comment - Ra maader cood kankemaager pola R a Once you register a domain for SSO, any user who self identifies (or has self identified) their email address as having that domain (exact domain, not subdomain), is now in your access management / SSO cohort...
We are also a higher ed org and have the same problem with Atlassian Access. We are hopeful that in the future there will be a way to identify just those sites that we'd like included in our Atlassian Access subscription. It seems like a number of students in our computer science courses use Atlassian cloud products, which is great! I'm all for sending students off into the work place knowing how to navigate a Jira project. But the University IT department doesn't want to pay for SSO for them, only for our centrally supported site and our dev site.
Someone from Atlassian called us to discuss this issue, which helped us understand it, but she hasn't responded to my emails since. I would be more than happy to discuss this higher ed use case further as it is a major blocker for our implementation of Jira Service Desk.
Is there option to only bring in certain domain users, like from a certain OU or any way to filter for only a certain set of domain users?
Like you we have over 600 staff but only a small set use Jira.
this issue is closed as "wont fix", so you cant vote for it 
https://jira.atlassian.com/browse/ACCESS-37
Yes! Ridiculous right?? I registered @upenn.edu. Single sign on worked. I dont like that I have to pay for 600 users to SSO, but whatever. Then I got a notification from our business school. "Why are half of our users now mysteriously using SSO??" Uh... anyone with @upenn.edu is now SSO. Thats ok too, perhaps a feature, except that now we own those accounts and have some control over them. But then they are on our IAM bill paying per month per user even though they arent in our Jira/Confluence cloud site. And other alumni who are in random sites are now SSO and we pay for it. Thats another 600 users right now, and will grow (uncontrolled by us) Can we charge the other departments back? No, they didnt ask for it. Should we have to pay? No. So now we can either turn off SSO which we dont want to do. Or go back to on prem and save 30k per year and have more user licenses (cloud doesnt have edu discount). Twist my arm...
Hi Chris\Elanor,
Can you just explain what you mean by "Now users who use our domain in their email are on our bill" ?
So if you set up SSO and add your domain it charges you for all your domain users and not just the ones that actually have a login for JIRA\Jira Service Desk etc?
Thanks
Niall
The issue that Chris identified is one of our primary concerns with Atlassian Access. Until this issue is resolved we won't be able to use it because we won't be able to control our bill at all. Pretty please resolve this billing issue! It's embarrassing to have a Help Center that's not behind SSO for the department that brings our larger organization SSO.
Hi all,
Atlassian added the documentation Configure SAML single sign-on with Active Directory Federation Services (AD FS) with instructions to integrate with ADFS and the page SAML single sign-on has been updated.
Gabriel
Atlassian Support