EasySSO SAML with Keycloak

Describes configuration necessary to integrate EasySSO with Keycloak using SAML 

This guide assumes you have admin access to your Keycloak installation, and some experience with the platform

KeyCloak Configuration

Create Client

  1. In KeyCloak portal, navigate to clients, click the "Create" button
  2. For the "Client ID", enter the URL provided as the EasySSO's "Entity ID" in the SAML configuration screen in EasySSO
    This will be in the form https://<YOUR ATLASSIAN PRODUCT HOST>:<YOUR ATLASSIAN PRODUCT PORT>/<YOUR ATLASSIAN PRODUCT CONTEXT>/plugins/servlet/easysso/saml
    e.g if you are running Jira on testjira.mydomain.com host, with custom port 2990 and context /jira: https://testjira.mydomain.com:2990/jira/plugins/servlet/easysso/saml 
    or if you running Jira on testjira.mydomain.com host, on the default HTTPS port 443 and default ("root") context: https://testjira.mydomain.com/plugins/servlet/easysso/saml 
  3. Change "Client Protocol" to SAML, and click "Save"

Configure Client

  1. In the "Settings" page of your newly created client record, scroll down and configure to match the following
    1. Sign Documents: Off
    2. Sign Assertions: On
    3. Encrypt Assertions: Off
    4. Client Signature Required: Off
    5. Valid Redirect URIs: "*" (excluding the quote marks)
    6. Click Save
  2. Navigate to the "Mappers" tab of the client configuration
  3. Create new Protocol Mappers to match the following:
    1. Username:
      1. Name: username
      2. Mapper Type: User Property
      3. Property: username
      4. Friendly Name: username
      5. SAML Attribute Name: urn:oid:0.9.2342.19200300.100.1.1
      6. Click Save
    2. Email:
      1. Name: email
      2. Mapper Type: User Property
      3. Property: email
      4. Friendly Name: email
      5. SAML Attribute Name: urn:oid:0.9.2342.19200300.100.1.3
      6. Click Save
    3. First Name:
      1. Name: firstName
      2. Mapper Type: User Property
      3. Property: firstName
      4. Friendly Name: firstName
      5. SAML Attribute Name: urn:oid:2.5.4.42
      6. Click Save
    4. Last Name:
      1. Name: lastName
      2. Mapper Type: User Property
      3. Property: lastName
      4. Friendly Name: lastName
      5. SAML Attribute Name: urn:oid:2.5.4.4
      6. Click Save
  4. Copy the URL for the KeyCloak IDP metadata (link is provided in the "Realm Settings" configuration screen in KeyCloak, under Endpoints: "SAML 2.0 Identity Provider Metadata")


(Optional) Groups Configuration

Create an additional protocol mapper, which adds the group name to the correct attribute configured in EasySSO (As per instructions in: Configure EasySSO SAML Groups with Azure AD)

  • Name: groups
  • Mapper Type: Group list
  • Group Attribute Name: urn:oid:2.5.4.31 
  • Friendly Name: groups
  • Single Group Attribute: ON
  • Full Group Path: OFF

EasySSO Configuration

Configuring EasySSO

Follow the details given on EasySSO with SAML - Configuration

More Configuration

Configuring Users

For users to successfully log in, they must also have permission to access the application. See EasySSO SAML JIT User Provisioning for more details.

Configure Message Signing and Verification

Visit EasySSO SAML Message Signing and Verification for signing and verification configuration options.

EasySSO articles

Try for free

EasySSO for Jira, Confluence, Bamboo, Bitbucket and Fisheye/Crucible

Try for free