Versions Compared

Old Version 2

changes.mady.by.user Jon Espen Ingvaldsen

Saved on

compared with

New Version 3

changes.mady.by.user Jon Espen Ingvaldsen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This guide takes you through the steps of setting up Okta login to the following Atlassian applications:

  • Jira

    Status
    colourBlue
    titleSERVER
    Status
    colourBlue
    titleDATA CENTER

  • Confluence

    Status
    colourBlue
    titleSERVER
    Status
    colourBlue
    titleDATA CENTER

  • Bitbucket

    Status
    colourBlue
    titleSERVER
    Status
    colourBlue
    titleDATA CENTER

  • Bamboo

    Status
    colourBlue
    titleSERVER

  • Fisheye / Crucible

    Status
    colourBlue
    titleSERVER

Expand
titleInstructions for how to download and install the Kantega SSO Enteprise app from Atlassian Marketplace

You find a link to Atlassian Marketplace in the upper right corner of your Atlassian application. Click Manage apps and search for “Kantega”. Click “Free trial” or “Buy now” to install the app.

Add identity provider

A welcome message is shown when you select to configure the app for the very first time. Click “Start setup” and then “Setup SAML / OIDC”.

Select “Okta” in the identity provider gallery.

Okta allow you to setup single sign-on over both SAML and the OpenID Connect protocol. This knowledge base article describe the practical differences of these two protocols.

Image RemovedImage Added

In the first wizard step, you select which SSO protocol to use. Click “Next”. Follow the protocol specific setup guides below.

Expand
titleSetup Okta with SAML

1. Select provisioning method

The Atlassian applications needs to have information about users logging in and their permissions. At this wizard step, we choose whether user and permission data already exist when users log in with SSO or if user records should be created dynamically (just-in-time provisioning). Note that, Kantega SSO Enterprise does also offer cloud user provision provisioning with API Connectors for Okta. This will give you a user directory that reads out user and permission data from Okta and is always kept up-to-date and synchronized. More information about user provisioning alternatives are found here

Info

If you want to utilize

this synchronization mechanism

API Connectors to synchronize users, we recommend you to setup

cloud user provisioning before SAML SSO, and then choose “Accounts

that before the setting up the SSO integration. When the synchronized user directory is up running, you can set up SSO and choose “Accounts already exist in <..> when

logging in”

logging in”.

You can also specify whether users logging in through Okta should be added as members to a set of default groups automatically. Alternatively, you can also retrieve and assign group memberships individually based on attributes in the SAML response. Such configurations are available after the initial setup.

Select provisioning method, default groups and click “Next”.

Image RemovedImage Added

2. Configure identity provider

Go to https://admin.google.com

Select Apps in the main menu

Image RemovedSelect SAML apps in the apps settings.Image Removed

 

Press the round "+" button to add a new SAML app:

Image Removed

 

Enable SSO for SAML Application:

Press "Select my own custom app" link of the dialog window:

Image RemovedGoogle IdP Information: 

On this step only click to download Google's IDP metadata.

Image Removed

You will upload this metadata file in the next step of this setup wizard.

Basic Information for your Custom App

Use a descriptive name for your app, such as "JIRA". 

Image Removed

Then press “NEXT”.

 

Service Provider Details 

Login to Okta as an admin user.

Click the "Admin" button in the header.

Image Added

Click “Developer Console” up to the right and select “Classic UI”.

Image Added

Click the "Applications" link in the header.

Image Added

In the application page, click "Add Application".

Image Added

Then, click "Create New App".

Image Added

Choose "Web" as platform and "SAML 2.0" as sign on method.

Image Added

Enter an app name in General Settings. Optionally upload a logo, and click "Next".

Image Added

Copy the response URL from the setup wizard (back in the prepare step in the Kantega SSO wizardconfiguration) into the ACS fields "Single sign on URL and Entity ID:

Image Removed

Leave other fields blank and press “NEXT

Attribute Mapping 

On this step, add the correct mapping for attributes givenName, surname and email.

Image Removed

All of the fields should be of type "Basic Information"
Then press “FINISH” and “OK”. 

Enable the app for users

Make sure to set the "Service status" to "ON for everyone" on your GSuite SAML app.

Image Removed

If you want the Google login to only apply to a subset of the organization, you can choose "On for some". With this setting, users in other parts of the organization will be exposed with a "Service not enabled"-message after their username / password is given.

You may now close the G Suite browser window.

Click “Next” in the Kantega SSO wizard.

3. Import metadata

Upload the metadata file that we downloaded from Google during the identity provider configurations (previous step).

Image Removed

Click “Next" and "Audience URI (SP Entry ID)".

Image Added

In "Attribute statements", set up the following attributes:

  • givenName with format Unspecified and value user.firstName

  • surname with format Unspecified and value user.lastName

  • email with format Unspecified and value user.email

Image Added

Click “Next”, then “Finish”.

Right click on the "Identity Provider metadata" link (see illustration above) and copy the URL to your clipboard. You will need this link in the next step of this wizard.

Image Added

Assign People and/or Groups to your app

Now Okta users needs be assigned to (which means to get access to) your application.

Click the "Assignments" tab.

Image Added

Further, when you click the green "Assign" button, you can choose to assign users individually or through their group memberships.

To assign a group to your application:

  • Select "Assign to Groups"

  • Find the group(s) you want to assign to your application and click "Assign" button on these. This might also be the group Everyone if all should have access.

  • Click "Assign"

  • Click "Done" button when you are finished assigning.

To assign people individually:

  • Select "Assign to People"

  • Find the people you want to assign to your application and click "Assign" on these.

  • Click "Save and Go Back" button for each step

  • Click "Done" button when you are finished assigning all people.

3. Import metadata

Back in the Kantega SSO setup wizard you can now press "Next" to get to the import step.

Paste in the metadata url (See instructions above regarding copying metadata url from Okta).

Image Added

Click “Next”.

4. Identity provider name

Fill in a name for your configuration, by default this is “Google GSuite”. Click “Next

5. Verify signature

This step shows the certificate used to validate the SAML messages.

Click “Next”.

7. Summary

Validate your setup and click “Finish”.

 

8. Test and verify setup

On the next page you will be given a link to perform a test of your setup.

The test verifies that users are allowed to authenticate with the current configuration, and you get feedback on whether the current user is found in Atlassian application. You are also able to fix user lookup issues (selecting the right username attribute and express username transformation rules) and select data attributes for just-in-time provisioning here. More info about testing av verifying identity provider configurations.

6. Redirection mode

By default, Kantega SSO Enterprise will forward all users to the configured identity provider. However, you can configure both a subset of users who should be login through this identity provider and how they are redirected. More about configuration redirection rules.

Expand
titleSetup Okta with OpenID Connect

1. Select provisioning method

The Atlassian applications needs to have information about users logging in and their permissions. At this wizard step, we choose whether user and permission data already exist when users log in with SSO or if user records should be created dynamically (just-in-time provisioning). Note that, Kantega SSO Enterprise does also offer cloud user provision provisioning with API Connectors for Okta. This will give you a user directory that reads out user and permission data from Okta and is always kept up-to-date and synchronized. More information about user provisioning alternatives are found here

Info

If you want to utilize

this synchronization mechanism

API Connectors to synchronize users, we recommend you to setup

cloud user provisioning before SAML SSO, and then choose “Accounts

that before the setting up the SSO integration. When the synchronized user directory is up running, you can set up SSO and choose “Accounts already exist in <..> when logging

in”

in.

You can also specify whether users logging in through Okta should be added as members to a set of default groups automatically. Alternatively, you can also retrieve and assign group memberships individually based on attributes in the SAML response. Such configurations are available after the initial setup.

Select provisioning method, default groups and click “Next”.

Image RemovedImage Added

2. Callback URL

The field “Callback URL” will be needed when configuring your identity provider. Copy this URL value (We will make use of this in the next step)

3. Configure identity provider

Sign in to https://developers.google.com/identity/sign-in/web/sign-in

Click the blue “Configure a project”-button

Select an existing project or create a new. Then click “NEXT”.

Select “Web server” in the “Where are you calling from?” dropdown list, and insert the callback-url (which we copied from the Kantega SSO setup above) into the text input field. Click “NEXT”.

4. Import metadata

Go to the Kantega SSO wizard and click “Next” in the import step

5. Identity provider name

Fill in a name for your configuration, by default this is “Google GSuite”. Click “Next

6. Client id and secret

In this step, we will insert client credentials from Google Gsuite.

These two values are found here:

Click “Next”, and you will see a summary page of your Kantega SSO setup.

7. Summary

Validate your setup and click “Finish”.

8. Test and verify setup

On the next page you will be given a link to perform a test of your setup.

The test verifies that users are allowed to authenticate with the current configuration, and you get feedback on whether the current user is found in Atlassian application. You are also able to fix user lookup issues (selecting the right username attribute and express username transformation rules) and select data attributes for just-in-time provisioning here. More info about testing av verifying identity provider configurations.

6. Redirection mode

By default, Kantega SSO Enterprise will forward all users to the configured identity provider. However, you can configure both a subset of users who should be login through this identity provider and how they are redirected. More about configuration redirection rules.