Group claims from identity provider (legacy, pre-5.3)

This page contains legacy documentation with screenshots matching older versions of Kantega SSO Enterprise than 5.3, which introduced some new changes to these settings.

Introduction

Kantega SSO allow Atlassian applications to read user permission data as a part of SAML and OpenID Connect (OIDC) login flows. The handling of these permissions can be both managed and auto created.

When using managed groups

When a group is configured as managed in Kantega SSO, the following will happen when a user is logged in:

  • Does the SAML or OIDC response include a group claim for the managed group? If so, make sure the user is added as a member.

  • No group claim found for the managed group? Make sure the user is removed from the group.

Only groups which are explicitly configured as managed by Kantega SSO will be affected by this feature. All other groups are ignored, so you will still be able to manage some groups locally if you wish.

When using auto create groups

Auto created groups when enabled will create all groups and assign users to all claims included by the identity provider in the SAML or OIDC response.

You may also enable to remove memberships from user that does not exist in the incoming claim. In this way all group memberships that your identity provider has for a given user will be synchronized on each login.

Configuring the identity provider

The first step is configuring the IDP to include group claims in authentication response messages (SAML) or UserInfo endpoint response (OIDC) when users log in. This is typically done in the IDP's administration console and depends on the IDP. We have included guides for some frequently requested IDPs. You may also consult your IDP's documentation or ask their support directly.

Test that the IDP is sending group claims

Once the identity provider is configured, run a SAML authentication test to verify that the identity provider actually sends the expected group claims. If group claims are detected, the test page will notify you of this and provide options for further configuration.

The example test result below shows that the user is a member of the jira-software-users group:

In the test results page, the following change to the managed group during login may appear:

Also "No change" and "Will be removed" are valid messages for changes for Managed groups.