EasySSO with X.509 - Configuration

Configure your Identity Provider (IdP) or Proxy

Start by configuring SSO in your identity provider's side as this process often generates information needed for the EasySSO configuration. 

You will need the X.509 header name and User identity DN attribute name to configure EasySSO with X.509 authentication.

Installing EasySSO

1. Obtain EasySSO from the Atlassian Marketplace.
   
   
2. Install a license for EasySSO. If you already have a production one in your My Atlassian portal - find it, and copy/paste into EasySSO's record in Universal Plugin Manager (UMP) under Manage apps.
   
   If you need a Free Trial one:
   
   If you have Internet connectivity from the Atlassian application: Usually during the installation of a new app in the UPM you will be asked for credentials to your My Atlassian portal in a popup. Enter these, and after filling the name of the organisation for the license, you will have access to the license and the option to have it installed automatically.
   
   Alternatively:  Obtain an EasySSO license from the Atlassian Marketplace by clicking "Try it free" and copy/paste into EasySSO's record in the Universal Plugin Manager (UMP) under Manage apps.
   
   
3. Once installed click Configure in UPM to proceed to the configuration wizard. You can also arrive to this screen by clicking EasySSO link under "TechTime Add-Ons" section usually located in the left panel of the Admin screen.
   
   
4. Click X.509 and check the 'Enable X-509 authentication' checkbox. 

Configure EasySSO

EasySSO requires you to configure the:

1. X.509 header name

2. User identity DN attribute name. The name of the attribute in the X.509 certificate's Subject DN which the Atlassian application will use to obtain identity of the user e.g. CN or EMAILADDRESS.

3. User identity regex. An optional regular expression pattern to parse the DN attribute value and compose the identity value via replacement expression. If the regex is empty the value of the attribute is taken as is. If the replacement expression is left empty the value of the first regex capturing group is taken. Example: "^(.+)@" and empty replacement value can be used to parse out the "local-part" of the email address, and "^(.).+\.(.+)@.*$" with replacement value "$1$2" can be used to transform "john.doe@example.com" to "jdoe" as candidates for username match in the application.
4. Which attribute to use to look for the user in the application. Select what field of the application user's record the value parsed in step 3 should represent. This defaults to "Username".
5. The decision to take when multiple user records are found matching the same identity string (this may happen if you are matching by email address). The default is to use the first matching record found.

6. Require the following conditions or reject the request with HTTP error code 403 (without going to the regular login form). Check what conditions are required for the X.509 request to be honoured. If these conditions aren't met the request will be denied.
   

   By its very nature X.509 integration is very "tight". Once enabled, if the X.509 certificate is set to be "required" – it will be expected on every un-authenticated request. Don't lock yourself out while testing! Test in Incognito/In-Private mode, or have another browser with active session.

   
   You can use any combination of:

   1. Header is present
   2. Certificate decodes successfully
   3. Certificate is trusted
   4. Certificate has not expired
7. Click Save.