Jira Cloud SAML Single Sign-On (SSO)

With CyberArk as your CyberArk Identity, you can choose single-sign-on (SSO) access to the Jira Cloud web and mobile applications with IdP-initiated SAML SSO (for SSO access through the Identity User Portal) or SP-initiated SAML SSO (for SSO access directly through the Jira Cloud web application) or both. Providing both methods gives you and your users maximum flexibility.

If Jira Cloud is the first application you are configuring for SSO through CyberArk Identity, read these topics before you get started:

Jira Cloud SSO Requirements

Before you configure the Jira Cloud web application for SSO, you need the following:

  • A Jira Cloud account.
  • An organization administrator and Jira Cloud site administrator (user with admin permission in the group “site-admins”)
  • Domains of SSO users’ email addresses added and verified before configuration.

Configure your organizations

Atlassian uses organizations to manage your domains and user accounts, providing control and visibility across your Atlassian Cloud applications. Setting up your organization and verifying a domain are pre-requisites to configuring SSO. Refer to https://confluence.atlassian.com/cloud/organization-administration-938859734.html for more information about configuring your organization with Atlassian.

Add and configure Jira Cloud in the Identity Administration portal

The following steps are specific to the Jira Cloud application and are required in order to enable SSO for Jira Cloud. For information on optional configuration settings available in the Idaptive the Identity Administration portal, see Configure optional application settings.

  1. In the Identity Administration portal, select Apps & Widgets > Web Apps, then click Add Web Apps.

    Add a web app screen

  2. On the Search page, enter the application name in the Search field and click the search button.

  3. Next to the application name, click Add.

  4. On the Add Web App page, click Yes to confirm.

  5. Click Close to exit the Application Catalog.

    The application opens to the Settings page.

Configure Jira Cloud for SSO

You need organization administrator privileges to perform these steps.

It can be useful to open the web application and the Identity Administration portal simultaneously and have them both open, perhaps side by side. As part of the SSO configuration process, you’ll need to copy and paste settings between the two browser windows.

The following steps are specific to the Jira Cloud application and are required in order to enable SSO for Jira Cloud. For information on optional configuration settings available in the Idaptive the Identity Administration portal, see Configure optional application settings.

  1. Return to the browser tab where you added and verified email addresses. If that browser tab is no longer active, open a new browser tab and log in to Jira Cloud with an account that has ADMIN privileges in the group “site-admins” and is an organization administrator.

    Click Settings > User management, then navigate to Organizations & Security and select your verified domain.

  2. Click SAML single sign-on.

  3. On the Atlassian SAML single sign-on page, click Add SAML configuration.

  4. On the Add SAML configuration screen, configure the following:

    Identity Administration portal >Trust

    Copy/Paste

    Direction

    Jira Cloud Website
    >Atlassian Site Administration

    What you do

    Identity Provider Entity ID

    Identity Provider Entity ID

    Copy the URL from the Identity Administration portal and paste here.

    Identity Provider SSO URL

    Identity Provider SSO URL

    Copy the URL from the Identity Administration portal and paste here.

    Download Signing Certificate

    Public x509 Certificate

    Click Download Signing Certificate in the Identity Administration portal and open the file in a text editor.

    Copy the contents and paste it here.
  5. Click Save configuration.

  6. Compare the following settings between the Atlassian SAML single sign-on page and the Application Settings page of the Identity Administration portal.

    The red arrows in the table below indicate the direction of the copy and paste operation between the two windows. For instance, the first arrow in the table below indicates that you copy the content from the indicated field on the Jira Cloud website and paste it into the corresponding field in CyberArk Identity the Identity Administration portal.

    Identity Administration portal >Application Settings

    Copy/Paste

    Direction

    Jira Cloud Website
    >Atlassian Site Administration

    What you do

    SP Entity ID

    SP Entity ID

    If the SP Entity ID is not: https://id.atlassian.com/login, copy the SP Entity ID from Jira Cloud and paste it in the Identity Administration portal Application Settings page.

    SP Assertion Consumer Service URL

    SP Assertion Consumer Service URL

    If your SP Assertion Consumer Service URL is not: https://id.atlassian.com/login/saml/acs, copy the SP Assertion Consumer Service URL from Jira Cloud and paste it in the Identity Administration portal Application Settings page.
  7. In CyberArk Identity the Identity Administration portal, configure User Access and Account Mapping.
  8. Click Save.

Configure Jira Cloud mobile apps for SSO

Jira Cloud provides mobile applications that support SSO for iOS and Android devices.

SP-initiated SSO will be launched after you enter the site name (subdomain) of your Jira Cloud and an email address with a verified domain.

For more information about Jira Cloud

For more information about configuring Jira Cloud for SSO, see:

https://confluence.atlassian.com/cloud/saml-single-sign-on-873871238.html

Jira Cloud specifications

Each SAML application is different. The following table lists features and functionality specific to Jira Cloud.

 

Capability

Supported?

Support details

Web browser client

Yes

 

Mobile client

Yes

iOS and Android

SAML 2.0

Yes

 

SP-initiated SSO

Yes

 

IdP-initiated SSO

Yes

 

Force user login via SSO only

Yes

Users with an email address at a domain that has been verified must use SSO.

Separate administrator login
after SSO is enabled

No

 

User or Administrator lockout risk

Yes

 

Automatic user provisioning

No

 

Multiple User Types

Yes

SSO works the same way for all admin and non-admin user types.

Self-service password

Yes

Users can reset their own passwords. Resetting another user’s password requires administrator rights.

Access restriction using a corporate IP range

Yes

You can specify an IP Range in the Identity Administration portal Policy page to restrict access to the application.