Configure SAML

How to configure SAML in EasySSO

With the release of EasySSO 4.0+, configuration of EasySSO with SAML has been simplified.

Configure your Identity Provider (IdP)

Start by configuring SSO on your identity provider's side as this process often generates information needed for the EasySSO configuration. To help you with this we have guides for the following common IdP providers.


metadata URL
The full form is https://<YOUR ATLASSIAN PRODUCT HOST>:<YOUR ATLASSIAN PRODUCT PORT>/<YOUR ATLASSIAN PRODUCT CONTEXT>/plugins/servlet/easysso/saml
e.g. if you are running Jira on custom port 2990 and context /jira: https://testjira.mydomain.com:2990/jira/plugins/servlet/easysso/saml/metadata 
or if you running on the default HTTPS port 443 and no context: https://testjira.mydomain.com/plugins/servlet/easysso/saml/metadata 

AssertionConsumerService URL or ACS URL or Reply URL
The full form is https://<YOUR ATLASSIAN PRODUCT HOST>:<YOUR ATLASSIAN PRODUCT PORT>/<YOUR ATLASSIAN PRODUCT CONTEXT>/plugins/servlet/easysso/saml
e.g. if you are running Jira on custom port 2990 and context /jira: https://testjira.mydomain.com:2990/jira/plugins/servlet/easysso/saml
or if you running on the default HTTPS port 443 and no context: https://testjira.mydomain.com/plugins/servlet/easysso/saml

Entity ID or Identifier
The full form is https://<YOUR ATLASSIAN PRODUCT HOST>:<YOUR ATLASSIAN PRODUCT PORT>/<YOUR ATLASSIAN PRODUCT CONTEXT>/plugins/servlet/easysso/saml
e.g. if you are running Jira on custom port 2990 and context /jira: https://testjira.mydomain.com:2990/jira/plugins/servlet/easysso/saml
or if you running on the default HTTPS port 443 and no context: https://testjira.mydomain.com/plugins/servlet/easysso/saml


Please note: EasySSO completely ignores Name ID sent as the part of Subject in SAML response and instead looks for the username in the attributes using UID Attribute name configured in the EasySSO GUI. Also, to provision a new user EasySSO requires the Email Address ("urn:oid:0.9.2342.19200300.100.1.3"), Display Name ("urn:oid:2.16.840.1.113730.3.1.241") or both givenName and surname ("urn:oid:2.5.4.42" and "urn:oid:2.5.4.4"). Your IdP may need to be configured to have these sent.

Installing EasySSO

  1. Obtain EasySSO from the Atlassian Marketplace.

  2. If you have no Internet connectivityObtain an EasySSO license from the Atlassian Marketplace and install the license via the Universal Plugin Manager (UPM).
    If you have Internet connectivity: In the UPM you will be asked for your email and password to the Atlassian Marketplace. Enter these and the EasySSO license will be added automatically.

  3. Once installed click Configure in UPM to proceed to the configuration wizard. You can also arrive to this screen by clicking EasySSO link under "TechTime Add-Ons" section usually located in the left panel of the Admin screen.
  4. Click SAML and check the 'Enable SAML' checkbox. 

Configure EasySSO

SAML configuration in EasySSO is typical for SAML add-ons. At a minimum, EasySSO requires you to configure the:

In the SAML tab

  1. IdP POST Binding URL (if you have the IdP metadata URL - you can load this together with certificates by submitting the URL on Certificates tab e.g. for ADFS: https://yourADFShostname/federationmetadata/2007-06/federationmetadata.xml or for Keycloak: https://yourKeycloakhostname/auth/realms/master/protocol/saml/descriptor

  2. UID Attribute. Good candidates for user ID are "urn:oid:0.9.2342.19200300.100.1.1" for uid or "urn:oid:0.9.2342.19200300.100.1.3" for the email address.

  3. Entity ID (if you have the IdP metadata URL - you can load this together with certificates by submitting the URL on Certificates tab e.g. for ADFS: https://yourADFShostname/federationmetadata/2007-06/federationmetadata.xml or for Keycloak: https://yourKeycloakhostname/auth/realms/master/protocol/saml/descriptor

  4. Default Groups for Auto-created users e.g. jira-software-users or confluence-users. The product access group/s granted to the user on their first login if the user needs to be created. Pre-existing users are not added to any groups on login.

In Certificates tab

  1. IdP Token Signing Certificates. There are several methods to load these:

    1. URL - Enter your IdP Metadata URL then click on "Load Certificate" to retrieve the metadata and parse certificate(s) automatically. 
    2. Upload - select the Upload radio button, upload the metadata file, the certificate(s) will parse automatically
    3. Input - You can copy/paste your metadata directly into the field as text then click <Parse Certificate>
    4. Alternatively, if you have obtained the certificate as a text file - open it up in any text editor and copy/paste directly into the certificate field
  2. Press Save.

Additional EasySSO configuration

The following additional configuration is available for EasySSO.

In the SAML tab

  • Acceptable time skew tolerance in seconds - SAML messages include timestamps that instruct the Service Provider (EasySSO) to limit acceptance of the messages to prevent replay attacks. When IdP and SP server clocks differ it is possible to configure a tolerance value here.
  • Message signing and verification checkboxes
  • Create user on successful login checkbox. 
  • IP Filter. If present, only users whose IP address matches this filter will be offered SAML. Empty allowlist will all any IP address. You can enter single IP address (for the reverse proxy), a comma-separated list of IP Addresses, IP address range e.g. 192.168.0.1-192.168.0.10, or network in CIDR notation.
  • IP Blocklist. If present, users whose IP address matches this filter will be ignored by SAML. Please note if an IP address is both allowlisted and blocklisted - it will be considered allowlisted.
  • Excluded Paths. Any URI path you wish to exclude from filtering. Please enter the URIs separated by commas.

Using IP filters

EasySSO takes a declarative approach to SSO - relying on the ability of sysadmin to “segment” the network by IP address, IP ranges or IP networks in CIDR notation. This allows one to configure different SSO methods for different segments of the network. Often this is done based on the reverse proxy IP as opposed the client IP itself. 

In this context of SAML, the usual approach is to configure Kerberos/NTLM SSO to only be available to the internal segment of the network (this is done via Advanced/IP Filtering screen) and configure SAML for the external segment i.e. a user would get either Kerberos/NTLM or SAML.

In Look and Feel tab

The Look and Feel tab of the SAML configuration screen allows you to select the SAML login button placement, colouring, button text, and redirect message text. If the button is enabled, no automatic redirect will be done, but instead the user will be expected to click on the button explicitly i.e. they are given a choice to login via SAML or using the built-in form authentication.

Here is an example of a SAML login button next to the Login button with the default look and the custom name "SAML Super Login".

As an alternative, here is an example with the same custom button text - this time with the SAML login button above to the Login fields with the highlighted look.

If you are not using the SAML Button, and need to temporarily suppress the automatic redirect to the IdP in order to login using the standard username and password form (such as when you need to reconfigure or disable EasySSO) add ?stopsso=true parameter to your URL.


EasySSO articles

Try for free

EasySSO for Jira, Confluence, Bamboo, Bitbucket and Fisheye/Crucible

Try for free