Versions Compared

Old Version 6

changes.mady.by.user Mari Fuglem

Saved on

compared with

New Version Current

changes.mady.by.user Mari Fuglem

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

SAML SSO can work fine together with Azure Microsoft Enra Application Proxy.

Using application proxy, you can get remote access to an on-premises Atlassian application.

...

Here, the users access your Atlassian application through the Internal URL from inside your private network. In ths example above, it's the base URL of Jira. The External URL on the other hand, is the URL for users to access the app from outside your network, having to do pre-authentication on Azure AD Entra ID before getting access. Note that users need to be specifically assigned to the proxy application to log in.

...

  1. Under General configuration in your Atlassian application, change the base URL from the internal to the new external URL:

  2. Stop the service for the Atlassian application

  3. Go to the installation folder of the Atlassian service and navigate to the Tomcat server.xml file. This is usually under <Installation_folder>/conf/. Find the Connector setting, and set proxyName to the domain name of the external URL you generated in Azure ADEntra ID:

    Code Block
    languagexml
    <Connector
    port="8080"
    relaxedPathChars="[]|"
    relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;"
    proxyName="exampleproxy-kantegasso.msappproxy.net"
    scheme="https"
    secure="true"
    proxyPort="443"
    maxThreads="150"
    minSpareThreads="25"
    connectionTimeout="20000"
    enableLookups="false"
    maxHttpHeaderSize="32168"
    protocol="HTTP/1.1"
    useBodyEncodingForURI="true" redirectPort="8443"
    acceptCount="100"
    disableUploadTimeout="true"
    bindOnInit="false"/>

  4. Then also in server.xml, under <Engine> and <Host>, you can add an <Alias> tag with the external URL (this is nice if you encounter problems with the base URL mismatch):

    Code Block
    <Engine name="Catalina" defaultHost="localhost">
  <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true">
      <Alias>exampleproxy-kantegasso.msappproxy.net</Alias>
      <Context path="" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true">
          <Resource name="UserTransaction" auth="Container" type="javax.transaction.UserTransaction"
                    factory="org.objectweb.jotm.UserTransactionFactory" jotm.timeout="60"/>
          <Manager pathname=""/>
          <JarScanner scanManifest="false"/>
          <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="120" />
      </Context>

  </Host>
  <Valve className="org.apache.catalina.valves.AccessLogValve"
          pattern="%a %{jira.request.id}r %{jira.request.username}r %t &quot;%m %U%{sanitized.query}r %H&quot; %s %b %D &quot;%{sanitized.referer}r&quot; &quot;%{User-Agent}i&quot; &quot;%{j$
</Engine>

...

You are now ready to set up Kantega SSO, either SAML or OpenID Connect (OIDC): Microsoft Entra ID (Azure AD).
If you have already configured an Enterprise Application or App registration in Azure ADEntra ID, you may also switch out the base URL in an existing configuration.

...