Community
Products
Jira
Questions
Confluence/Bitbucket wiht Jira User Directory using SAML Auth

Confluence/Bitbucket wiht Jira User Directory using SAML Auth

Can anyone describe their experience with a similar setup? I am trying to move from AD LDAP User Directory to SAML. So the users will get migrated into the internal SAML directory to preserve group membership, etc. and then SAML authentication. This all works fine.

My question is how will Confluence and Bitbucket handle that authentication? Do I need to set each of those up as a SAML endpoint? Unfortunately I only have a jiratest environment and not a bb/confluence to test this so trying to figure out the implication before I pull the trigger.

3 answers

3 accepted

0 votes

Answer accepted

Hi tschmidt@tnc.org

there is a variety of plugins in the marketplace that can help here: https://marketplace.atlassian.com/search?query=saml

There may be one misconception in your thoughts however. You are saying "SAML Directory" - that is not quite true. What all the SAML Plugins do is they authenticate an *existing* User from any Directory in your Atlassian Application.

The next Question is then - how does the User get in there in the first place. And this is where you tend to have multiple choices.

If you can still use LDAP, then you can leave the normal LDAP synchronisation running - then the LDAP sync creates & updates the Users/Groups while SAML only authenticates them.

Some of the plugins also allow you to also create and update Users based on the SAML Response - the even more advanced one's like ours have on top of that also their own synchronisation features with some IdPs.

To keep this Post to a manageable size -

If you continue to use LDAP for your User Provisioning then here is our Setup Guide that describes that Setup together with AD FS: https://wiki.resolution.de/doc/saml-sso/latest/all/setup-guides-for-saml-sso/microsoft-ad-fs/ad-fs-with-ldap-user-directory

This is the Jira example but our Setup is the same across all the Atlassian products.

If you cannot or don't want to continue to use LDAP, then please let us know which Identity Provider you will be using - then I can give you some more advice which provisioning method is the best and how to get there.

If you feel you need a bit more of a discussion around this, you can always book a free session with us via https://resolution.de/go/calendly

Cheers,
Christian

P.S. I work for resolution, a marketplace vendor providing most installed single sign on app in the Atlassian DC & Server Ecosystem.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Thanks, and yes, that was unclear, I would be migrating existing users from our LDAP to Jira's internal directory and using SAML authentication for those users along with user auto-create.

Right now, with an LDAP directory (or using Internal) in Jira Conf/BB auth "just works", but with SAML on Jira but not Conf/BB, it doesn't (since internal directory password isn't updated). So SAML Auth on Conf/BB against Jira's internal directory seems like the way to go, but it does seem it will require a 3rd party plugin.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

What is the identity provider you are (will be) using?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hi tschmidt@tnc.org

actually I am getting confused now - even the Atlassian Data-Center SAML does not support "auto-create" of Users. This is usually one of the requirements where you have to go for a commercial plugin like ours.

So I checked - your organisation actually has community licenses from us for Jira. Is it maybe possible that you are already using our Plugin on your Jira?

You should see it by going to Adminstration -> Manage Apps and then see if this plugin is installed: https://marketplace.atlassian.com/apps/1212130/saml-single-sign-on-sso-jira-saml-sso?hosting=server&tab=overview

If so, the same plugin is available for all the other products too.

Cheers,
Christian

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

0 votes

Answer accepted

tschmidt@tnc.org

You can use the SAML SSO plugin for JIRA, Confluence, and Bitbucket to enable SAML SSO from your IDP.

You have to configure SAML SSO individually in all applications. You will need to install the plugin on the application side and on the IDP side you will need to create/configure a dedicated app(or relying party trust) for your applications.

Also, you don't have to worry about the Confluence and Bitbucket setup. Once you're done with the setup in JIRA , you just need to follow the same procedure for Confluence and Bitbucket as all the above SAML plugins have a similar set of configurations.

I work for the miniOrange and if you need any help with the setup, you can contact us at atlassiansupport@miniorange.com or through our customer portal

Thanks,
Lokesh

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Thanks for your answer. This was what I had gathered as well.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

0 votes

Answer accepted

Hey, welcome to the Community!

I've administered an environment that saw Jira, Confluence, and Bitbucket Server all using SAML for authentication. They were still doing incremental syncs back to AD to get group memberships, but the actual logins were handled over SAML so the credentials didn't actually go through the applications.

You will need to set the applications up as endpoints (aka Service Provider, or "Relying Party" in the ADFS terminology). I would imagine you're going to be using ADFS as your identity provider if you've currently got the applications configured for LDAP with AD.

On the application side, you'll need to install a plugin for Confluence/Bitbucket to become SAML service providers (we do provide an Atlassian-developed one with the Data Center editions of the products). There are several of these SAML plugins on the marketplace, although I'd recommend sticking to the same plugin vendor across all your instances to make setup more consistent.

The various plugins manage the login action differently. Some give you a choice of identity providers on the login screen (so you would first see a Confluence login prompt, then your identity provider's login screen where you actually enter credentials). Others are configurable or let you completely redirect all login traffic to your identity provider. Then they give you a special URL to avoid getting redirected if you need to log in as an administrator without SAML.

Happy to answer more questions if any of that needs clarification!

Cheers,
Daniel

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Thanks for you answer. I guess a lot of the confusion is we are using Community licenses as a non profit which provide 'Server' which does *not* support SAML auth for Confluence/Bitbucket, but does for Jira (which seems odd...).

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hi!

Are you sure this has to do with the Community Licenses.

Usually if you the Data-Center variant of Jira/Confluence/Bitbucket, then a very basic version of SAML is included.

If you use the Server variant of Jira/Confluence/Bitbucket then on SAML is included at all.

But on the other hand using a community edition also makes your choice easier, as we offer our commercial Plugins also for free in community/non-profit use. So if you like you can use the plugin across the board if you prefer that.

Cheers,
Christian

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like • Daniel Eads likes this

Hmm, I could never find one for Confluence Server. We already have the one for SSO for Data Center, but in the 'Find new apps', it shows as "SSO for Atlassian Server and Data Center" and in Manage Apps it shows as "SAML for Atlassian Data Center" and there are no other options to configure it. This is not as a separate license on my Atlassian page. I do have a license and a workign plugin for Jira, but I cannot find a plugin for confluence.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

OK, I guess my confusion is that it is resolution and not Atlassian! I will request a community license for the other two products. Thank you so much, that will make my life much easier!

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

That's what I am here for :-)

Glad I could help - if you need anything else just let me know.

Cheers,
Christian

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Forums

Product Q&A

Community resources

Support

Top groups

Community resources

Support

Learn

Community resources

Support

Events

Community resources

Support

Confluence/Bitbucket wiht Jira User Directory using SAML Auth

3 answers

3 accepted

Suggest an answer

Was this helpful?

Thanks!

TAGS

Community showcase

Atlassian Community Events