[Legacy] Azure AD
This guide is for an older version of Kantega SSO Enterprise and is no longer maintained. New guides are here: https://kantega-sso.atlassian.net/l/c/rNTaTonz .
This guide takes you through the steps of setting up AzureAD login to the following Atlassian applications:
Jira SERVER DATA CENTER
Confluence SERVER DATA CENTER
Bitbucket SERVER DATA CENTER
Bamboo SERVER
Fisheye / Crucible SERVER
You find a link to the Atlassian Marketplace in the upper right corner of your Atlassian application. Click Manage apps and search for "Kantega." Click "Free trial" or "Buy now" to install the app.
Add identity provider
A welcome message is shown when you select to configure the app for the very first time. Click "Start setup" and then "Setup SAML / OIDC".
Select "Azure AD" in the identity provider gallery.
AzureAD allows you to set up single sign-on over both SAML and the OpenID Connect protocol. This knowledge base article describes the practical differences between these two protocols.
In the first wizard step, you select which SSO protocol to use. Click "Next." Follow the protocol-specific setup guides below.
1. Select provisioning method
The Atlassian applications need to have information about users logging in and their permissions. At this wizard step, we choose whether the user and permission data already exist when users log in with SSO or if user records should be created dynamically (just-in-time provisioning). Note that Kantega SSO Enterprise also offers cloud user provisioning with API Connectors for Azure AD. This will give you a user directory that reads out user and permission data from Azure AD and is always kept up-to-date and synchronized. More information about user provisioning alternatives are found here
If you want to utilize API Connectors to synchronize users, we recommend you to set up that before setting up the SSO integration. When the synchronized user directory is up running, you can set up SSO and choose "Accounts already exist in <..> when logging in".
You can also specify whether users logging in through Azure AD should be added as members to a set of default groups automatically. Alternatively, you can also retrieve and assign group memberships individually based on attributes in the SAML response. Such configurations are available after the initial setup.
Select the provisioning method, default groups, and click "Next."
2. Configure identity provider
Sign in to https://portal.azure.com
Navigate to Azure AD by entering "Azure Active Directory" into the search field.
Or navigate directly using the icon in Azure services.
Click "Enterprise applications,"
and then "New Application."
Search for "kantega" in the app gallery, and choose the application relevant for your current setup.
Give the application a descriptive name, click "Add," and wait a few seconds for the application to be created. Progress is indicated by a blue progress bar below the alert symbol at the top of the screen.
Click "Single sign-on" in the app settings.
Select "SAML" as single sign-on method.
We need to insert values for Identifier (EntityID) and Reply URL (Assertion Consumer Service URL).
The value to be inserted here is found back in the prepare step of the Kantega SSO wizard. Copy this value and paste it into the two required fields in Azure AD.
Click "Next."
3. Import metadata
Copy the App Federation Metadata Url, found under SAML Signing Certificate.
Paste the URL value into the metadata url field in the import step of the Kantega SSO wizard.
4. Test and verify setup
On the next page, you will be given a link to perform a test of your setup.
The test verifies that users are allowed to authenticate with the current configuration, and you get feedback on whether the current user is found in the Atlassian application. You are also able to fix user lookup issues (selecting the right username attribute and express username transformation rules), and select data attributes for just-in-time provisioning here. More info about testing and verifying identity provider configurations.
5. Redirection mode
By default, Kantega SSO Enterprise will forward all users to the configured identity provider. However, you can configure both a subset of users who should be login through this identity provider and how they are redirected. More about the configuration of redirection rules.
1. Select provisioning method
The Atlassian applications need to have information about users logging in and their permissions. At this wizard step, we choose whether the user and permission data already exist when users log in with SSO or if user records should be created dynamically (just-in-time provisioning). Note that Kantega SSO Enterprise also offers cloud user provisioning with API Connectors for Azure AD. This will give you a user directory that reads out user and permission data from Azure AD and is always kept up-to-date and synchronized. More information about user provisioning alternatives are found here
If you want to utilize API Connectors to synchronize users, we recommend you to set up that before setting up the SSO integration. When the synchronized user directory is up running, you can set up SSO and choose "Accounts already exist in <..> when logging in".
You can also specify whether users logging in through Azure AD should be added as members to a set of default groups automatically.
Select provisioning method, default groups, and click "Next."
2. Callback URL
The field "Callback URL" will be needed when configuring your identity provider. Copy this URL value (We will make use of this in the next step)
3. Configure identity provider
Sign in to https://portal.azure.com
Navigate to Azure AD by entering "Azure Active Directory" into the search field.
Or navigate directly using the icon in Azure services
Choose "App registrations" from the sidebar
Click the "New registration" button
Fill out the "Name" field. Here you can specify any value, e.g., "Jira" or "Confluence."
The Redirect URL consists of two fields. Select "Web" in the left drop-down field and paste in the Callback URL from Kantega SSO in the right field.
Click the "Register" button in the bottom left of the page and wait a few seconds until the registration is finished.
4. Import metadata
Copy "Directory (tenant) ID" to clipboard.
Press Next in Kantega SSO to the Metadata import step, modify the Discovery URL by inserting the “Directory (tenant) ID” from clipboard to replace {tenant} part of URL (see below image). Click "Next."
5. Identity provider name
Fill in a name for your configuration. By default, this is "Azure AD." Click "Next"
6. Client id and secret
In this step, we will insert client credentials from Azure AD.
Copy the "Application (client) ID" below, and paste it into the "Client ID" field above.
Then, go into "Certificates & secrets"
Generate a new secret by clicking "New client secret." Give the secret a proper name and set "Expires" to "Never" or, if preferred, give it a shorter lifetime. Click "Add."
Copy the client secret value and paste it into the "Client secret" field in the Kantega SSO configuration.
Click "Next," and you will see a summary page of your Kantega SSO setup.
7. Summary
Validate your setup and click "Finish."
8. Test and verify setup
On the next page, you will be given a link to perform a test of your setup.
The test verifies that users are allowed to authenticate with the current configuration, and you get feedback on whether the current user is found in the Atlassian application. You are also able to fix user lookup issues (selecting the right username attribute and express username transformation rules), and select data attributes for just-in-time provisioning here. More info about testing and verifying identity provider configurations.
6. Redirection mode
By default, Kantega SSO Enterprise will forward all users to the configured identity provider. However, you can configure both a subset of users who should be login through this identity provider and how they are redirected. More about the configuration of redirection rules.