Configuring encrypted Client Secret for OIDC / API connectors

The Client Secret for an OIDC Identity provider (IdP) and the Entra ID Connector is typically defined within KSSO configuration files (connector.xml for Entra ID connector or provider.xml for an OIDC IdP) However, it can be securely overridden using environment variable or a Java/JVM system property names that take precedence over the KSSO XML configuration.

For Bitbucket versions 9 and above, these parameters can be encrypted when they are read by Bitbucket.

Client Secret property name

For an OIDC identity provider the general name of the property is:

ORG_KANTEGA_ATLASKERB_IDENTITYPROVIDERS_OIDCSTATIC_CLIENTSECRET

For Entra ID API connector:

ORG_KANTEGA_ATLASKERB_CONNECTOR_AZURE_AZUREADCONNECTORTYPE_STATIC_CLIENTSECRET

If you have more than one OIDC IdP or Entra ID connector, the property can be used with the KSSO id for the provider or connector. The property name with correct id to be used is in the Client secret section in menu “IdP integration” for the OIDC IdP menu and in the menu “Cloud integration” for Entra ID connector.

Example for the OIDC IdP:

ORG_KANTEGA_ATLASKERB_IDENTITYPROVIDERS_OIDC_GOxXFuPXJgiyAwuXugVG_CLIENTSECRET

Example for Entra ID connector:

ORG_KANTEGA_ATLASKERB_CONNECTOR_AZURE_AZUREADCONNECTORTYPE_wdlfqm6se9un_CLIENTSECRET

Open

Client secret as environment variable

To override the client secret configured in KSSO with an environment variable, define the following system environment variable:

Linux/macOS (bash/zsh)

Windows (CMD)

Windows (PowerShell)

For enhanced security, you can set the environment variable inline when starting the Atlassian host application. This prevents the variable from being exposed to the operating system environment or visible in system-level process listings.

ORG_KANTEGA_ATLASKERB_CONNECTOR_AZURE_AZUREADCONNECTORTYPE_STATIC_CLIENTSECRET=<YOUR_SECRET> ./startup.sh

Client secret as JVM system property

You can override the client secret configured in KSSO by setting a Java/JVM system property parameter at application startup. This parameter is normally set in these files:

Jira and Bamboo: <INSTALL>/bin/setenv.sh

Bitbucket <INSTALL>/bin/_start-bitbucket.sh

Find BITBUCKET_ARGS and add a new line under:

Confluence: <CONFLUENCE_INSTALL>/bin/setenv.sh

Removing Client secret from KSSO XML Files

When the client secret is used from other sources than KSSO configuration files the Client secret section in the admin UI (Cloud integration/Idp integration) will display typically “Static Environment Property”. Click the Save-button will replace the client secret with the text "USING_ENVIRONMENT_PROPERTY".

Open

Revert to using client secret from KSSO configuration file

To revert to using the client secret from the KSSO configuration files rather than external sources, follow these steps:

1. Update the CLIENT_SECRET value in the KSSO configuration fil for or the Entra ID Connector and/or OIDC IdP.

2. Remove the environment variables or JVM parameters from the Atlassian host.Restart the Atlassian host.

3. Open KSSO Admin GUI for the API connector (Cloud integration) and/or the OIDC identity provider (Idp integration. The client secret configuration is located at contains the value KSSO

🔐 Securing (Encrypting) Environment Variables - Only for Bitbucket 9+

To encrypt the Client Secret given with the parameters above, use the startup parameter secrets.secured-properties. This should be set as a comma-separated list of the parameter names that should be encrypted during startup. See above where to add the -D parameter to the Java/JVM startup:

-Dsecrets.secured-properties=ORG_KANTEGA_ATLASKERB_CONNECTOR_AZURE_AZUREADCONNECTORTYPE_wdlfqm6se9un_CLIENTSECRET,ORG_KANTEGA_ATLASKERB_CONNECTOR_AZURE_AZUREADCONNECTORTYPE_STATIC_CLIENTSECRET

🚀 Important Notes

Any changes to environment variables (adding, modifying or removing) require a restart of the Atlassian host for changes to take effect.