Configure your Identity Provider (IdP)
Start by configuring SSO in your identity provider's side as this process often generates information needed for the EasySSO configuration.
You will need the X.509 header name and User identity DN attribute name to configure EasySSO with X.509 authentication.
Obtain EasySSO from the Atlassian Marketplace.
If you have no Internet connectivity: Obtain an EasySSO license from the Atlassian Marketplace and install the license via the Universal Plugin Manager (UPM).
If you have Internet connectivity: In the UPM you will be asked for your email and password to the Atlassian Marketplace. Enter these and the EasySSO license will be added automatically.
- Once installed click Configure in UPM to proceed to the configuration wizard. You can also arrive to this screen by clicking EasySSO link under "TechTime Add-Ons" section usually located in the left panel of the Admin screen.
- Click X.509 and check the 'Enable X-509 authentication' checkbox.
EasySSO requires you to configure the:
X.509 header name
User identity DN attribute name. The name of the attribute in the X.509 certificate's Subject DN which the Atlassian application will use to identify the user e.g. CN or EMAILADDRESS.
- User identity regex. Optional regex regular expression pattern to parse the value (as the first regex capturing group) from the identity attribute to match one of the options configured in step 4. For example, this way the "local-part" of the email address can be parsed out and mapped to the username in the application.
- Which attribute to use to look for the user in the application. Select what aspect of the application user's identity the values once parsed following the configuration above will represent. This defaults to "Username".
- Decision when multiple users are found matching the same identity string. Select what decision JIRA Software should take when multiple user match the same string. This defaults to use the first matching record found.
- Require the following conditions or reject the request with 403 (without going to the regular login form). Check what conditions are required for the X.509 request to be honoured. If these conditions aren't met the request will be denied. You can use any combination of:
- Header is present
- Certificate decodes successfully
- Certificate is trusted
- Certificate has not expired
- Click Save.