Jira Cloud SAML Single Sign-On (SSO)
With CyberArk as your CyberArk Identity, you can choose single-sign-on (SSO) access to the Jira Cloud web and mobile applications with IdP-initiated SAML SSO (for SSO access through the Identity User Portal) or SP-initiated SAML SSO (for SSO access directly through the Jira Cloud web application) or both. Providing both methods gives you and your users maximum flexibility.
If Jira Cloud is the first application you are configuring for SSO through CyberArk Identity, read these topics before you get started:
Jira Cloud SSO Requirements
Before you configure the Jira Cloud web application for SSO, you need the following:
- A Jira Cloud account.
- An organization administrator and Jira Cloud site administrator (user with admin permission in the group “site-admins”)
- Domains of SSO users’ email addresses added and verified before configuration.
Configure your organizations
Atlassian uses organizations to manage your domains and user accounts, providing control and visibility across your Atlassian Cloud applications. Setting up your organization and verifying a domain are pre-requisites to configuring SSO. Refer to https://confluence.atlassian.com/cloud/organization-administration-938859734.html for more information about configuring your organization with Atlassian.
Add and configure Jira Cloud in the Identity Administration portal
The following steps are specific to the Jira Cloud application and are required in order to enable SSO for Jira Cloud. For information on optional configuration settings available in the Idaptive the Identity Administration portal, see Configure optional application settings.
-
In the Identity Administration portal, select Apps & Widgets > Web Apps, then click Add Web Apps.
-
On the Search page, enter the application name in the Search field and click the search button.
-
Next to the application name, click Add.
-
On the Add Web App page, click Yes to confirm.
-
Click Close to exit the Application Catalog.
The application opens to the Settings page.
Configure Jira Cloud for SSO
You need organization administrator privileges to perform these steps.
The following steps are specific to the Jira Cloud application and are required in order to enable SSO for Jira Cloud. For information on optional configuration settings available in the Idaptive the Identity Administration portal, see Configure optional application settings.
-
Return to the browser tab where you added and verified email addresses. If that browser tab is no longer active, open a new browser tab and log in to Jira Cloud with an account that has ADMIN privileges in the group “site-admins” and is an organization administrator.
Click Settings > User management, then navigate to Organizations & Security and select your verified domain.
-
Click SAML single sign-on.
- On the Atlassian SAML single sign-on page, click Add SAML configuration.
-
On the Add SAML configuration screen, configure the following:
Identity Administration portal >Trust
Copy/Paste
Direction
Jira Cloud Website
>Atlassian Site AdministrationWhat you do
Identity Provider Entity ID
Identity Provider Entity ID
Copy the URL from the Identity Administration portal and paste here.
Identity Provider SSO URL
Identity Provider SSO URL
Copy the URL from the Identity Administration portal and paste here.
Download Signing Certificate
Public x509 Certificate
Click Download Signing Certificate in the Identity Administration portal and open the file in a text editor.
Copy the contents and paste it here.
- Click Save configuration.
-
Compare the following settings between the Atlassian SAML single sign-on page and the Application Settings page of the Identity Administration portal.
The red arrows in the table below indicate the direction of the copy and paste operation between the two windows. For instance, the first arrow in the table below indicates that you copy the content from the indicated field on the Jira Cloud website and paste it into the corresponding field in CyberArk Identity the Identity Administration portal.
Identity Administration portal >Application Settings
Copy/Paste
Direction
Jira Cloud Website
>Atlassian Site AdministrationWhat you do
SP Entity ID
SP Entity ID
If the SP Entity ID is not:
https://id.atlassian.com/login
, copy the SP Entity ID from Jira Cloud and paste it in the Identity Administration portal Application Settings page.SP Assertion Consumer Service URL
SP Assertion Consumer Service URL
If your SP Assertion Consumer Service URL is not:
https://id.atlassian.com/login/saml/acs
, copy the SP Assertion Consumer Service URL from Jira Cloud and paste it in the Identity Administration portal Application Settings page. - In CyberArk Identity the Identity Administration portal, configure User Access and Account Mapping.
- Click Save.
Configure Jira Cloud mobile apps for SSO
Jira Cloud provides mobile applications that support SSO for iOS and Android devices.
SP-initiated SSO will be launched after you enter the site name (subdomain) of your Jira Cloud and an email address with a verified domain.
For more information about Jira Cloud
For more information about configuring Jira Cloud for SSO, see:
https://confluence.atlassian.com/cloud/saml-single-sign-on-873871238.html
Jira Cloud specifications
Each SAML application is different. The following table lists features and functionality specific to Jira Cloud.
Capability |
Supported? |
Support details |
Web browser client |
Yes |
|
Mobile client |
Yes |
iOS and Android |
SAML 2.0 |
Yes |
|
SP-initiated SSO |
Yes |
|
IdP-initiated SSO |
Yes |
|
Force user login via SSO only |
Yes |
Users with an email address at a domain that has been verified must use SSO. |
Separate administrator login |
No |
|
User or Administrator lockout risk |
Yes |
|
Automatic user provisioning |
No |
|
Multiple User Types |
Yes |
SSO works the same way for all admin and non-admin user types. |
Self-service password |
Yes |
Users can reset their own passwords. Resetting another user’s password requires administrator rights. |
Access restriction using a corporate IP range |
Yes |
You can specify an IP Range in the Identity Administration portal Policy page to restrict access to the application. |