1. Select provisioning method
The Atlassian applications needs to have information about users logging in and their permissions. At this wizard step, we choose whether user and permission data already exist when users log in with SSO or if user records should be created dynamically (just-in-time provisioning). Note that, Kantega SSO Enterprise does also offer cloud user provisioning with API Connectors for Google GSuite. This will give you a user directory that reads out user and permission data from GSuite and is always kept up-to-date and synchronized. More information about user provisioning alternatives are found here
If you want to utilize API Connectors to synchronize users, we recommend you to setup that before the setting up the SSO integration. When the synchronized user directory is up running, you can set up SSO and choose “Accounts already exist in <..> when logging in”.
Select provisioning method and click “Next”.
2. Configure identity provider
Go to https://admin.google.com
Select Apps in the main menu
Select SAML apps in the apps settings.
Press the round "+" button to add a new SAML app:
Enable SSO for SAML Application:
Press "Select my own custom app" link of the dialog window:
Google IdP Information:
On this step only click to download Google's IDP metadata.
You will upload this metadata file in the next step of this setup wizard.
Basic Information for your Custom App
Use a descriptive name for your app, such as "JIRA".
Then press “NEXT”.
Service Provider Details
Copy the response URL from the setup wizard (back in the prepare step in the Kantega SSO wizard) into the ACS URL and Entity ID:
Leave other fields blank and press “NEXT”
Attribute Mapping
On this step, add the correct mapping for attributes givenName, surname and email.
All of the fields should be of type "Basic Information"
Then press “FINISH” and “OK”.
Enable the app for users
Make sure to set the "Service status" to "ON for everyone" on your GSuite SAML app.
If you want the Google login to only apply to a subset of the organization, you can choose "On for some". With this setting, users in other parts of the organization will be exposed with a "Service not enabled"-message after their username / password is given.
You may now close the G Suite browser window.
Click “Next” in the Kantega SSO wizard.
3. Import metadata
Upload the metadata file that we downloaded from Google during the identity provider configurations (previous step).
Click “Next”
4. Identity provider name
Fill in a name for your configuration, by default this is “Google GSuite”. Click “Next”
5. Verify signature
This step shows the certificate used to validate the SAML messages.
Click “Next”.
7. Summary
Validate your setup and click “Finish”.
8. Test and verify setup
On the next page you will be given a link to perform a test of your setup.
The test verifies that users are allowed to authenticate with the current configuration, and you get feedback on whether the current user is found in Atlassian application. You are also able to fix user lookup issues (selecting the right username attribute and express username transformation rules) and select data attributes for just-in-time provisioning here. More info about testing av verifying identity provider configurations.
6. Redirection mode
By default, Kantega SSO Enterprise will forward all users to the configured identity provider. However, you can configure both a subset of users who should be login through this identity provider and how they are redirected. More about configuration of redirection rules.