This guide assumes you have admin access to your Keycloak installation, and some experience with the platform
KeyCloak Configuration
Create Client
- In KeyCloak portal, navigate to clients, click the "Create" button
- For the "Client ID", enter the URL provided as the EasySSO's "Entity ID" in the SAML configuration screen in EasySSO
This will be in the form https://<YOUR ATLASSIAN PRODUCT HOST>:<YOUR ATLASSIAN PRODUCT PORT>/<YOUR ATLASSIAN PRODUCT CONTEXT>/plugins/servlet/easysso/saml
e.g if you are running Jira on testjira.mydomain.com host, with custom port 2990 and context /jira: https://testjira.mydomain.com:2990/jira/plugins/servlet/easysso/saml
or if you running Jira on testjira.mydomain.com host, on the default HTTPS port 443 and default ("root") context: https://testjira.mydomain.com/plugins/servlet/easysso/saml - Change "Client Protocol" to SAML, and click "Save"
Configure Client
- In the "Settings" page of your newly created client record, scroll down and configure to match the following
- Sign Documents: Off
- Sign Assertions: On
- Encrypt Assertions: Off
- Client Signature Required: Off
- Valid Redirect URIs: "*" (excluding the quote marks)
- Click Save
- Navigate to the "Mappers" tab of the client configuration
- Create new Protocol Mappers to match the following:
- Username:
- Name: username
- Mapper Type: User Property
- Property: username
- Friendly Name: username
- SAML Attribute Name: urn:oid:0.9.2342.19200300.100.1.1
- Click Save
- Email:
- Name: email
- Mapper Type: User Property
- Property: email
- Friendly Name: email
- SAML Attribute Name: urn:oid:0.9.2342.19200300.100.1.3
- Click Save
- First Name:
- Name: firstName
- Mapper Type: User Property
- Property: firstName
- Friendly Name: firstName
- SAML Attribute Name: urn:oid:2.5.4.42
- Click Save
- Last Name:
- Name: lastName
- Mapper Type: User Property
- Property: lastName
- Friendly Name: lastName
- SAML Attribute Name: urn:oid:2.5.4.4
- Click Save
- Username:
- Copy the URL for the KeyCloak IDP metadata (link is provided in the "Realm Settings" configuration screen in KeyCloak, under Endpoints: "SAML 2.0 Identity Provider Metadata")
(Optional) Groups Configuration
Create an additional protocol mapper, which adds the group name to the correct attribute configured in EasySSO (As per instructions in: Configure EasySSO SAML Groups with Azure AD)
- Name: groups
- Mapper Type: Group list
- Group Attribute Name: urn:oid:2.5.4.31
- Friendly Name: groups
- Single Group Attribute: ON
- Full Group Path: OFF
EasySSO Configuration
Configuring EasySSO
Follow the details given on EasySSO with SAML - Configuration
More Configuration
Configuring Users
For users to successfully log in, they must also have permission to access the application. See EasySSO SAML JIT User Provisioning for more details.
Configure Message Signing and Verification
Visit EasySSO SAML Message Signing and Verification for signing and verification configuration options.