Atlassian Cloud products help businesses to innovate faster through better collaboration, automation, and intelligent workflows. Teams across your organization can organize, collaborate, and deliver faster.
You can use idemeum to get company-wide visibility, security, and control over your Atlassian Cloud products and enable users one-click access to mission-critical apps.
Note: you will need Atlassian Access subscription in order to be able to set up SAML SSO.
Atlassian and idemeum integration
In the configuration guide we will look at the following configuration sections.
- Single Sign-On (SAML)
- Automated provisioning with SCIM
- Groups and permissions
- SAML login flows
Before you enable SSO for Atlassian you need to take care of small things:
- Verify domain
- Add Atlassian Access subscription
- Collect idemeum SAML metadata values
- Make sure your admin account is from different domain than then one you will use for SSO. For instance if you enable SSO for coke.com make sure your admin account belongs to different domain, otherwise if SAML is misconfigured you will lock yourself out.
To verify domain navigate to Directory -> Domains. Instructions on how to verify domain are below.
To add Atlassian Access Subscription navigate to your admin portal and accessing Subscription & Billing -> Manage subscriptions.
You will also need to obtain your idemeum tenant SAML metadata parameters. Here is what you will need:
- Identity Provider Entity ID
- Identity Provider SSO URL
- Identity Provider Public X509 certificate
Instructions for how to obtain your idemeum SAML metadata parameters are below.
Single Sign-On (SAML)
1. Configure SSO in Atlassian Cloud
- Navigate to Atlassian Cloud and access Administration menu
- Choose Security section at the top menu and then click SAML Single Sign-On on the left side
- Click Add SAML configuration
- Now you can paste the parameters we obtained in the prerequisites section and click Save configuration.
- In the new screen you will be shown configuration values that you will need to paste into idemeum. Copy SP entityID and SP Assertion Consumer Service URL from the SAML configuration screen.
- The last thing you need to do is to enforce Single Sign-On on your default policy for Atlassian access. In the left menu click on Authentication policies.
- Click Edit for default policy (or any policy that you have configured) and enforce SSO.
- Update the configuration and make sure policy is updated.
2. Configure SSO in idemeum
- Navigate to your idemeum admin portal at https://[your domain].idemeum.com/adminportal
- Click Applications in the left menu
- Search for Atlassian Cloud application and click Add App
- Click SAML at the top navigation menu
- Choose Manual configuration
- Paste SP entityID that you obtained from Atlassian Cloud set up into Audience URI in idemeum
- Paste SP Assertion Consumer Service URL that you obtained from Atlassian Cloud into Assertion consumer service URL in idemeum
- Enter the following into the relay state https://[your org name].atlassian.net
- Click Save
Automated provisioning with SCIM
- Access Directory -> User provisioning
- Click Create a directory and as a first step give it a name
- Copy Directory base URL and API key. You will need these parameters to configure provisioning in idemeum.
- Return to idemeum configuration, and add these parameters to Provisioning section in the Atlassian Cloud app. You will paste Directory Base URL and API key into the form.
- You are all set with SSO and provisioning configuration.
Groups and permissions
Now you have successfully configured SAML SSO and SCIM provisioning. Your new employees will be able to successfully access atlassian portal, but they will not have access to specific products. You need to give your users access to products, such as Confluence.
For example, to give every newly provisioned user automatic access to confluence:
- Navigate to Confluence and access Administration menu
- Go to Site settings -> Product access
- Click Add group
- Choose group that represents your SCIM directory and make sure that group has access to confluence product.
To give every newly provisioned user automatic access to spaces:
- Navigate to space that you want to give access to for all new users
- Click Space settings -> Permission
- Make sure that the group that represents your SCIM users has permissions to access the space. Note: granular permissions require paid plan.
SAML login flows
Atlassian Cloud supports both IDP Initiated Flow and SP Initiated FlowSP Initiated Flow for SSO.
IDP Initiated flow
With this flow users first navigate to idemeum user catalog and then click on Atlassian icon to launch application.
SP Initiated flow
With this flow users can directly go to https://id.atlassian.com/login, type in your email address and you will be able to login with passwordless SSO.