1. Select provisioning method
The Atlassian applications needs to have information about users logging in and their permissions. At this wizard step, we choose whether user and permission data already exist when users log in with SSO or if user records should be created dynamically (just-in-time provisioning).
You can also specify whether users logging in through Keycloak should be added as members to a set of default groups automatically. Alternatively, you can also retrieve and assign group memberships individually based on attributes in the SAML response. Such configurations are available after the initial setup.
Select whether users already exist or if you wish to have users automatically created upon login. If using LDAP-provisioning, select "Accounts already exist in JIRA when logging in".
Otherwise, select the second option to enable just-in-time provisioning. Note that for users to be created, a name, username and an email must be sent in the SAML response (see instructions on configuring Mappers later in this guide.)
Optionally assign a default group for new users - all new users will be added to that group.
This can all be further configured and changed after initial setup, as well.
Select provisioning method, default groups and click “Next”.
Sign in to the keycloak admin console.
Select the correct realm (we are using example.com).
Select Clients, then Create.
In Client ID, paste the ACS URL from the prepare step in the Kantega SSO wizard.
Select SAML as the Client Protocol.
Press Save.
In Settings
Mappers (Just-in-time provisioning)
If you intend to use JIT provisioning to create user accounts the first time they log in, you will need to configure Mappers. Mappers make Keycloak include the requisite SAML Response attributes (email and name). If users already exist in JIRA (using LDAP or some other means of provisioning), you can skip this step.
Open the Mappers tab. We are going to add:
Create mapper for lastName:
Create mapper for givenName
Create mapper for email:
Mappers (Managed Groups)
If you intend to use Managed groups (manage Jira groups from Keycloak), you also need a mapper for group claims. If not, you can skip this step.
Create mapper for Group claims from identity provider:
Go back to the KSSO setup wizard tab. On the metadata import step, provide the metadata URL (recommended): https://<keycloak.example.com>/auth/realms/<example.com>/protocol/saml/descriptor
Alternatively, you can also download the metadata file to disk and upload it in the KSSO wizard.
Press Next once you have uploaded the metadata.
On the Location step, give the Identity Provider a name (this name is visible to end users when logging in). Click Next.
Review the imported signing certificate (this step is purely informational). Click Next.
Review the setting and click Finish.
8. Test and verify setup
On the next page you will be given a link to perform a test of your setup.
The test verifies that users are allowed to authenticate with the current configuration, and you get feedback on whether the current user is found in Atlassian application. You are also able to fix user lookup issues (selecting the right username attribute and express username transformation rules) and select data attributes for just-in-time provisioning here. More info about testing av verifying identity provider configurations.
6. Redirection mode
By default, Kantega SSO Enterprise will forward all users to the configured identity provider. However, you can configure both a subset of users who should be login through this identity provider and how they are redirected. More about configuration of redirection rules.