Setting Up Atlassian Single Sign-On with Azure B2C

To set up Atlassian Single Sign-On (SSO) with Azure B2C, you'll first need to create an Azure Active Directory (Azure AD) instance. This will serve as the foundation for your SSO configuration.

You can create an Azure AD instance in the Azure portal, which is accessible through the Azure website. The Azure portal is where you'll manage your Azure resources, including your Azure AD instance.

To create an Azure AD instance, you'll need to sign in with your Azure account credentials. If you don't have an Azure account, you can create one for free.

Once you've created your Azure AD instance, you can proceed with configuring Atlassian SSO with Azure B2C.

Intriguing read: Ms Azure Portal

Before you dive into configuring Atlassian SSO with Azure B2C, make sure you have the following prerequisites in place.

You'll need an Azure B2C tenant that uses Custom Policies. I've found that having a sample solution to refer to can be super helpful in getting started.

To integrate your OAuth/OpenID Provider and Jira, you'll need an Atlassian Cloud account with a subscription to Atlassian Guard (Standard or Premium).

Having an administrator role in the Atlassian account is essential, and you'll also need to have either B2C IEF Policy Administrator and B2C IEF Keyset Administrator, or Global Administrator on the B2C tenant.

Here are the specific roles you'll need to have:

To get started with Azure B2C configuration, your application must be https enabled. You'll need to sign in to the Azure portal and navigate to the Azure AD B2C directory with an active subscription. Make sure you're in the correct directory, and if not, switch to the one with an active subscription.

The first step is to create a new Azure B2C application by clicking on App registrations and then clicking on the New registration option. Configure the necessary options to create a new application.

Take a look at this: Unable to Retrieve the Azure Active Directory Configuration

You'll need to copy your Application ID and keep it handy. Next, click on Certificates and secrets and then click on New Client Secret to generate a Client Secret. Copy the secret value and keep it handy.

To test the connection, you'll need to create a new user in the Azure B2C directory. Go to the Users tab and click on New user, then select Create Azure AD B2C user. Set your email and password, and click Create to save the user details.

Here's a summary of the steps to create a new Azure B2C application:

Note: Make sure your application is https enabled before proceeding with the configuration.

In Atlassian Configuration, you'll need to set up the basics for SSO. Go to Jira Manage Apps and click Configure under OAuth/OpenID Connect (OIDC) for Jira SSO. Then click on Add New Provider button and select your preferred IDP.

To add the IDP, enter the copied Client ID, Client Secret, and Tenant ID. You'll also need to add the logout endpoint, which is https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/logout?p={APP_NAME}. This will log you out of Azure B2C when you log out of Jira.

The scope is required and should be configured as openid. You'll also need to enter the JWKS EndPoint URL or Public Key for signature validation.

For more insights, see: Azure Ids

To configure Jira OAuth client, you need to follow these steps. Go to Jira Manage Apps and click Configure under OAuth/OpenID Connect (OIDC) for Jira SSO, then click on Add New Provider button.

Select your preferred IDP, which in this case is Azure AD B2C. You'll need to enter the copied Client ID, Client Secret, and Tenant ID. Make sure to add the logout endpoint, https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/logout?p={APP_NAME}, to redirect users to Jira login page.

Configure the scope as openid and enter the JWKS EndPoint URL or Public Key for signature validation. You can find the JWKS EndPoint URL in the Azure portal, for example, https://login.microsoftonline.com/common/discovery/keys.

Finally, click on Test Configuration to verify the entered details. This will ensure that your Jira OAuth client is properly configured for Azure AD B2C SSO.

Here's a summary of the required settings:

This will help you configure Jira OAuth client successfully for Azure AD B2C SSO.

User Profile Mapping is a crucial step in configuring Atlassian Jira for Single Sign-On (SSO). You'll need to navigate to the User Profile section in the left sidebar to set up user profile attributes.

To do this, you'll need to disable the User Profile Mapping option if your user directory is read-only. This will allow you to proceed directly to the Matching a User step.

In the User Profile tab, populate the fields by matching attribute names. For instance, if the Attribute Name in the Test Configuration window is NameID, enter NameID as Username.

It's essential to set up both Username and Email if you allow user registration. Alternatively, you can restrict login to existing users by deselecting the Allow User Creation option in the Advanced SSO Options tab.

To match the attributes, navigate to the User Profile tab and choose either Username or Email as the login for the Jira user account.

You can configure custom attributes received in the OAuth/OpenID response using the Configure User Properties (Extended Attributes) section.

Here are the steps to add custom attributes:

Additional attributes, such as location, can be added by selecting the Add Attribute Mapping option.

User Group Mapping is a crucial step in configuring Atlassian Jira for Single Sign-On (SSO) integration. You have the option to enable group mapping, which allows you to synchronize groups between your OAuth/OpenID provider and Jira.

To enable group mapping, select the "Enable Group Mapping" option in the User Groups tab. If you prefer not to assign any default group to SSO users, choose "None" using the Assign Default Group To option.

The Configure OAuth tab is where you can review the values returned by your OAuth/OpenID provider to Jira. Click on Test Configuration to review the values in the table. If group values are missing, adjust the settings in your OAuth provider to include group names.

You can identify group attributes by entering the Attribute Name of the group under Group Attribute in the User Groups tab. Be aware that you can disable group mapping for existing users by checking the Disable Group Mapping option.

Manual group mapping is recommended when the names of groups in Jira are different than the corresponding groups in OAuth/OpenID Provider. On-The-Fly group mapping is suitable when the names of groups in Jira and OAuth/OpenID Provider are the same.

Here are the two group mapping methods summarized in a table:

Single Sign-On (SSO) is a game-changer for Atlassian users. You can enable it to redirect users to the OAuth/OIDC provider when accessing the Jira login page.

To set up SSO, head to the SSO Settings tab, where you'll find crucial configurations that shape the user experience. Enable Auto Redirect to Application to redirect users to the OAuth/OIDC provider when accessing the Jira login page.

The Enable Backdoor Login option allows for emergency access using a backdoor URL, which can be restricted to specific groups if needed. You can also use Domain Restriction to allow login for specific user domains and configure multiple allowed domains (semicolon-separated).

The Secure Admin Login option ensures the re-authentication of admin users before accessing pages with administrative permissions. Redirection rules allow you to redirect users to login pages/providers based on their email domains.

To create a new rule, go to the Redirection Rules tab and click Add Rule. Give the rule a name and set the conditions for redirection. Click Save once you're done. You can also set a default rule if no other rule conditions are met.

Here are the key SSO settings to consider:

By configuring these settings, you can create a seamless SSO experience for your users.