SAML Provisioning Group management

Atlassian Cloud

Learn how to integrate Atlassian Confluence with idemeum for passwordless access and provisioning.

Jul 26, 2021 5 min read
Atlassian Cloud

Capabilities overview

Atlassian Cloud products help businesses to innovate faster through better collaboration, automation, and intelligent workflows. Teams across your organization can organize, collaborate, and deliver faster.

Atlassian pricing page

You will need Atlassian Access subscription to be able to set up SAML SSO. You can be on any product on any plan, and to add SAML and provisioning you need to subscribe to Access.
Supported capability Required plan Details
Passwordless SSO Free plan Low SSO tax
Automated provisioning Free plan SCIM 2.0 (create, remove, update accounts)
Group management Free plan Push groups and manage user group assignment in Atlassian
Password manager Any Auto-fill / Auto-capture

Prerequisites

Before you enable SSO for Atlassian you need to take care of small things:

  1. Verify domain
  2. Add Atlassian Access subscription
  3. Collect idemeum SAML metadata values
  4. Make sure your admin account is from different domain than then one you will use for SSO. For instance if you enable SSO for coke.com make sure your admin account belongs to different domain, otherwise if SAML is misconfigured you will lock yourself out.

Instructions on how to verify domain are below.

Verify a domain to manage accounts | Atlassian Support
Verify ownership of your company’s domain over HTTPS or DNS to claim managed accounts for your organization.
Atlassian Support

You will also need to obtain your idemeum tenant SAML metadata parameters. Here is what you will need:

  • Identity Provider Entity ID
  • Identity Provider SSO URL
  • Identity Provider Public X509 certificate (PEM format)

Instructions for how to obtain your idemeum SAML metadata parameters are below.

How to obtain SAML metadata for idemeum
SAML metadata is the data that describes the information needed to communicate with a SAML endpoint. For example, if Identity Provider (IDP) X wanted to allow Service Provider (SP) Y to request SAML responses, IdP X would share its metadata with SP Y and vice-versa. Each idemeum tenant has associate…
DocsNikolay Poturnak

Single Sign-On (SAML)

Configure SSO in Atlassian Cloud

  • Navigate to Atlassian Cloud and access Administration menu
  • Choose Security section at the top menu and then click SAML Single Sign-On on the left side
  • Click Add SAML configuration
Now you will be using idemeum SAML metadata values obtained in the prerequisites section
  • Paste Identity Provider Entity ID, Identity Provider SSO URL, and Identity Provider Public X509 certificate (PEM format)
  • Click Save configuration
  • Copy SP Entity ID and SP Assertion Consumer Service URL as you will need these parameters to configure idemeum
  • The last thing you need to do is to enforce Single Sign-On on your default policy for Atlassian access. In the left menu click on Authentication policies.
  • Click Edit for default policy (or any policy that you have configured) and enforce SSO.
  • Update the configuration and make sure policy is updated

Configure SSO in idemeum

  • Navigate to https://[your domain].idemeum.com/adminportal
  • Click Applications in the left menu
  • Search for Atlassian Cloud application and click Add App
  • Click SAML at the top navigation menu
Now you will be using SAML metadata values obtained from Atlassian administration portal
  • Type in your organization name (https://[org name]atlassian.net/)
  • Paste SP Entity ID and Assertion Consumer Service URL
  • Click Save

Automated provisioning with SCIM

Set up automated provisioning

  • Access Settings -> User provisioning
  • Click Create a directory, give it a name, and copy Directory Base URL and API key
  • Return to idemeum configuration, and add these parameters to Provisioning section in the Atlassian Cloud app. You will paste Directory Base URL and API key into the form.
  • The best way to provision users into Atlassian is with group provisioning enabled. idemeum will push your idemeum groups into Atlassian and assign users into appropriate groups so that they have access to necessary resources. Make sure you have group provisioning set to true.
  • Click Save
You can learn more about how idemeum handles group provisioning below.
Group management
Learn all about idemeum
idemeum documentationNikolay Poturnak

Set up groups in Atlassian

Once idemeum pushes groups into Atlassian, it will start provisioning users into those specific groups. Groups become very convenient way to manage what resources and products each of your users will have access to inside Atlassian.

  • Navigate to Directory -> Groups
  • Choose the group that you want to configure with product access
  • Click on Add product and choose what product the members of the group will have access to
  • Once product access is configured all newly provisioned users will automatically have access to selected products

SAML login flows

Atlassian Cloud supports both IDP Initiated Flow and SP Initiated FlowSP Initiated Flow for SSO.

IDP Initiated flow

With this flow users first navigate to idemeum user catalog and then click on Atlassian icon to launch application.

SP Initiated flow

With this flow users can directly go to https://id.atlassian.com/login, type in your email address and you will be able to login with passwordless SSO.

Published by
idemeum team
idemeum team
You might also like
Table of Contents
Great! Next, complete checkout for full access to idemeum integrations.
Welcome back! You've successfully signed in.
You've successfully subscribed to idemeum integrations.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.