Versions Compared

Old Version 20

changes.mady.by.user Steinar Line

Saved on

compared with

New Version 21

changes.mady.by.user Mari Fuglem

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

This is a feature in Kantega SSO to support running the Atlassian products Confluence, Jira, Bamboo, and Bitbucket as apps in Microsoft Teams. Kantega SSO also gives you single sign-on using your user’s identity from Azure ADMicrosoft Entra ID.

If you are planning on running Microsoft Teams in browsers and not only as a standalone app, you will have to consider getting samesite cookies to work for the Atlassian apps when loaded in the Teams app, because of issues with Iframes and samesite cookies.. This problem is expained here: https://jira.atlassian.com/browse/CONFSERVER-59298

...

Setup in detail

Below the above 4 steps will be described in details for Jira. Note that step I only is applicable for Confluence.

I. For Confluence only: Disable anti clickjacking protection and enable protection in Kantega SSO

...

...

Steps to prepare Confluence

  1. Follow this guide to disable the built-in anti clickjacking protection in Confluence: https://confluence.atlassian.com/confkb/confluence-page-does-not-display-in-an-iframe-827335781.html

...

  1. Turn on Content Security Policy switch to give similar protection, but allowing for Confluence to be loaded in Microsoft Teams.

...

Info

The Content Security Policy switch is only available for Confluence. For other products this is included

in the Enable Microsoft Teams SSO login switch.

II. In

...

Entra ID set up Teams SSO configuration

Prepare App registration, Client ID and Client Secret

  1. Log into Microsoft Entra ID with an administrator account. Search in top bar for App registrations and navigate to this page. During these next steps you shold create and copy the values Client ID, Client Secret and API url to use in later sections.

  2. If you have an existing Entra ID OIDC client application set up in Kantega SSO you may use this. See where to find Client IDs in the below screenshot:

    Image Added

    You may search for the Client ID in the search bar of Entra ID. Open your existing client appliction and skip to point 6.
    If you do not have an existing OIDC client application continue to step 3.

  3. Press New registration, set a name for your new client application and press Register. You do not have to fill any of the other fields on this page.

    Image Added

  4. Copy Client ID to use in later steps.

  5. Click left menu to

Certificates & secrets and click New client secret. Type a suitable description, set appropriate expiry, and click Add. Copy the Secret Value of the new secret for later steps, and not the Secret ID.

Expand
titlePrepare App registration, Client ID and Client Secret

  1. Log into

...

  1. Microsoft Entra ID with an administrator account. Search in top bar for App registrations and navigate to this page. During these next steps you shold create and copy the values Client ID, Client Secret and API url to use in later sections

...

  1. .

  1. If you have an existing

...

  1. Entra ID OIDC client application set up in Kantega SSO you may use this. See where to find Client IDs in the below screenshot:

Image Modified

You may search for the Client ID in the search bar of Azure AD. Open your existing client appliction and skip to point 6.

  • If you do not have an existing OIDC client application continue to step 3.

3. Press New registration, set a name for your new client application and press Register. You do not have to fill any of the other fields on this page.

Image Modified

4. Copy Client ID to use in later steps.

Image Modified


5. Click left menu to

Certificates & secrets and click New client secret. Type a suitable description, set appropriate expiry, and click Add. Copy the Secret Value of the new secret for later steps, and not the Secret ID.

Image Modified

Expand
titlePrepare API permissions

6. Click into API permissions and Add permissions.

Image Modified


7. Click Microsoft Graph image and Delegated permissions. Select all four OpenId permissions:
email
offline_access
openid
profile.
User.Read should already be selected from before. Press Add Permissions button.

Image Modified
Image Modified

8. Press Grant admin consent for <your tenant name> button and press Yes. This is neccesary to allow users to log in via the new Teams SSO app into the Atlassian application.

Image Modified

Expand
titleExpose API and give Microsoft Teams access

9. Click Expose and API in left menu. Click Application ID URI Add button on top. The App ID URI should be set to this address:

Image Modified

api://<your-atlassian-server-name-without-portnumber>-<Client ID value-from-step-4>

Please note the “-” between the two values above. Copy the api address for later use and press Save.


10. Press Add a scope and insert the following scope values in the panel that appears:

  • , enter access_as_user as the Scope name.

  • Set Who can consent? to Admins and users.

  • To configure the admin and user consent prompts with appropriate values for access_as_user scope, provide the following information in the fields:

    • Enter Teams can access the user’s profile as Admin consent display name.

    • Enter Allows Teams to call the app’s web APIs as the current user as Admin consent description.

    • Enter Teams can access the user profile and make requests on the user’s behalf as User consent display name.

    • Enter Enable Teams to call this app’s APIs with the same rights as the user as User consent description.

    • Ensure that State is set to Enabled.

Image Modified

11. Add Microsoft Teams client application IDs by pressing Add a client application and using the below values:
1fec8e78-bce4-4aaf-ab1b-5451cc387264 (Teams mobile or desktop application)

5e3ce6c0-2b1f-4285-8d4b-75ee78787346 (Teams web application)

Make sure to select Authorized scopes before you press Add application for the two values:

Image ModifiedImage Modified

Afterwards this section should look like this:

Image Modified

12. Then go to the Manifest left menu page, set value "accessTokenAcceptedVersion": 2,and press Save.

Image Modified

III. Create Teams App and deploy for use in your company’s Teams tenant

...