SAML Single Sign-OnSAML Single Sign-On

Azure AD B2C with User Sync

After completing this setup guide, you will set up Azure AD B2C and your Atlassian product for the SAML SSO app and also User Sync. Additionally, you will enable the SSO redirection and test SSO.

Prerequisites

To use the SAML SSO app with Azure AD B2C, you need the following:

  • An Azure AD subscription

  • An Azure AD B2C Tenant (please check this Microsoft article for more information)

  • A (trial) subscription for the SAML SSO app

  • Admin access to your Atlassian product

Step-By-Step Setup Guide

Install the SAML SSO app

In your Atlassian product, open the in-product marketplace as described in the Atlassian documentation.
Search for "resolution saml" and click "Install" for SAML Single Sign On (SSO) by resolution Reichert Network Solutions GmbH.

After the installation is complete, click Manage Apps/Addons

Install SAML SSO App
Install SAML SSO App

Configure User Sync

  1. Sign in to http://portal.azure.com.

  2. Select the Directory + Subscription icon in the portal toolbar, and then select the directory that contains your Azure AD B2C tenant.
    AzureADB2C_Dir.png

  3. In the Azure portal, search for and select Azure AD B2C.
    AzureAD_B2C.png

  4. Select App registrations (Preview).
    App_Registration.png

  5. Select New registration.
    New_Registration.png

  6. Enter a Name for the application.

  7. Select Accounts in any organizational directory or any identity provider.

  8. Under Redirect URI, select Web, and then enter https://<your-instance>/plugins/servlet/de.resolution.usersync/oauth2/authorize in the URL text box.
    Register_an_app.png

  9. Under Permissions, select the Grant admin consent to openid and offline_access permissions checkbox.

  10. Select Register to proceed.

  11. Select API permissions in the left panel and then Add a permission.
    API_permissions.png

  12. Select Microsoft Graph.
    Request_API_permissions_-_Microsoft_Azure.png

  13. Choose Delegated permissions.
    Delegated_permissions_-_Microsoft_Azure.png

  14. Scroll down to User, make sure that User.Read is ticked, and tick also User.ReadBasic.All. Click on Add permissions to confirm this.
    API_permissions_-_Microsoft_Azure.png

  15. In the API permissions window, click again on Add a permission.

    Add a permission Azure AD B2C
    Add a permission

  16. Choose Application permissions.
    App_permissions_-_Microsoft_Azure.png

  17. Expand Directory and tick Directory.Read.All.
    Directory_read_all_-_Microsoft_Azure.png

  18. Scroll down to User and also tick User.Read.All. Afterward, click Add permissions to continue.
    user_read_all_-_Microsoft_Azure.png

  19. Click on Certificates & secrets in the left panel, and then click on New client secret.
    Certificates___secrets_-_Microsoft_Azure.png

  20. Enter a description for the secret and also set an expiry date. Click on Add to confirm.
    Certificates_secrets_-_Microsoft_Azure.png

  21. Your Client secret will be displayed only once, thus copy the secret. Of course, it is possible to create a new secret, if you lost your secret.
    copy_Certificates___secrets_-_Microsoft_Azure.png

  22. Go to the overview page of the Azure AD B2C app. Copy the Application ID and the Directory (tenant ID)
    AppID_DirID_-_Microsoft_Azure.png

  23. Now, it is time to head over to your Atlassian application. In your Atlassian application, go to User Sync, click Add Connector and choose Azure AD Connector.

  24. Insert the Application ID, Directory ID and the Application secret into the User Sync connector, and afterward click Authorize.
    US_AzureADB2C_connector.png

  25. To take the full advantages of User Sync, scroll down and tick "Enable Scheduled Synchronization". You can control the sync interval via a Cron Expression.
    US_AzureADB2C_connector_scheduled_sync.png

  26. Do not forget to save your configuration. Scroll down to the bottom of the page and hit "Save".

Configure SAML SSO

For the next steps, please go to Manage apps (or addons), choose SAML SSO and click Configure.

First Steps - Wizard

  1. After you click "Configure", the Wizard will be triggered. If not, or if you want to add another Identity Prover (IdP) to your existing configuration, click on "+ Add IdP". This guide assumes, that there is no IdP configured.
    The Wizard greets you with information, click on "Add new IdP" to proceed.

  2. For the IdP Type, choose "Azure AD". You can also choose a name. Click on "Next" to continue.

  3. In the next step, you will configure Azure AD B2C. Please keep this tab open or copy the information.

Create and Configure an Azure Enterprise App for SAML SSO

Adding an Enterprise Application for the SAML SSO App

  1. Navigate to http://portal.azure.com.

  2. Select the Directory + Subscription icon in the portal toolbar, and make sure you have selected the directory that contains your Azure AD B2C tenant.
    AzureADB2C_Dir.png

  3. In the Azure portal, search for and select Azure AD B2C.
    AzureAD_B2C.png

  4. Navigate to the Azure Active Directory page, then select Enterprise applications under Manage in the left panel.

  5. Select New Application to add a new enterprise application.
    Enterprise_applications___All_applications_-_Microsoft_Azure.png

  6. We created presets in the gallery for the SAML SSO app. Search for "resolution gmbh" and choose the version which matches your Atlassian product, e.g. "SAML SSO for Jira by resolution GmbH" for Jira.

    Browse Apps
    Browse Apps

  7. Click Add to add a new enterprise application. You can also choose a new name for it.
    SAML_SSO_for_Jira_by_resolution_GmbH_-_Microsoft_Azure.png
    Please wait until the Azure portal redirects you to the enterprise application you just created. This can take a couple of seconds. For the next steps, you will configure the enterprise application.

Deactivate User Assignment Required

  1. In the left panel, click Properties. In the new window, scroll down to User assignment required? and set the option to NO. Afterward, Save your configuration.

    Deactivate User Assignment Required
    Deactivate User Assignment Required

Configure the SSO

  1. In the left panel under Manage, choose "Single sign-on". Then click SAML for the Single Sign On method.
    SAML_SSO_for_Jira_by_resolution_GmbH___Single_sign-on_-_Microsoft_Azure.png

  2. Click the pen symbol in Basic SAML Configuration.
    SAML_SSO_for_Jira_by_resolution_GmbH1___Single_sign-on_-_Microsoft_Azure.png

  3. Set the Identifier (Entity ID) and the Reply URL (Assertion Consumer Service URL). You can find both in the last window of the wizard.
    In general, the needed URL for both is: https://<base-url>/plugins/servlet/samlsso
    You need to substitute <base-url> with the base URL of your Atlassian product instanceThe gallery application already provides the needed URLs. You only have to substitute YOURJIRASERVERNAME with the URL of your Atlassian product instance and then click Save.

    SAML SSO Basic Configuration URLs
    SAML SSO Basic Configuration URLs

  4. Scroll down to SAML Signing Certificate and copy the App Federation Metadata Url. The link will be used to configure the SAML SSO app.
    b2c_jira_zizo___Single_sign-on_-_Microsoft_Azure.png
    The configuration in Azure AD B2C is now finished. In the next step, we will finish the configuration in the SAML SSO wizard.

Finishing the Configuration - Wizard

  1. Paste the App Federation Metadata Url that was obtained before in the "Metadata URL" textfield.

    Metadata URL
    Metadata URL

  2. Click on "Import".
    Metadata_URL2.png

  3. Click on "Next" to continue.
    Metadata_URL3.png

  4. For the User Update Method, choose Update with UserSync-Connector. If you additionally want to use the SAML attributes as sent by your identity provider, choose the corresponding option.
    User_creation_update1.png

  5. For UserSync-Connector, choose the one you have created before.
    User_creation_update2.png

  6. For the "Lookup Attribute", insert http://schemas.microsoft.com/identity/claims/objectidentifier into the text field.
    This allows the app the add create new users which have not already been synced by User Sync in the first place.
    Then click "Save & Next" to continue. 
    User_creation_update3.png

Testing SSO

The wizard also allows testing the Single Sign On. Just follow the steps to test if the login works as expected.

  1. Click on "Start test" to proceed.
    test.png

  2. Copy the blue marked link and open a new incognito/private tab or a different web browser. Then, paste the link and navigate to it.
    start_test.png

  3. You will be now redirected to Azure AD's login page. Please log-in with your username and password. 
    If everything worked fine, you will be logged in to your Atlassian product. In the other tab/browser in which you were configuring the SAML SSO plugin, you can see also the "SUCCESS" status, if everything worked as expected.
    Click Next to proceed.
    test_results.png

SSO Redirection

As a last step, you can set the Enable SSO Redirect option. If set, all users will be redirected to Single Sign On, thus they will be logged in via the IdP.
Click on Save & Close to finish the configuration.
enable_SSO.png