Azure Application Proxy with K-SSO SAML

SAML SSO can work fine together with Azure Application Proxy.

Using application proxy, you can get remote access to an on-premises Atlassian application.


Set up an Application Proxy in Azure AD

  1. Under Application Proxy in Azure, click Configure an app.

  2. Enter the URL of your Atlassian Application (in this example, Jira) as the Internal Url and click Add

You will then get an external url, in this case

Here, the users access your Atlassian application through the Internal URL from inside your private network. In ths example above, it's the base URL of Jira. The External URL on the other hand, is the URL for users to access the app from outside your network, having to do pre-authentication on Azure AD before getting access. Note that users need to be specifically assigned to the proxy application to log in.


Configure the proxy for your Atlassian instance

  1. Under General configuration in your Atlassian application, change the base URL from the internal to the new external URL:



  2. Stop the service for the Atlassian application

  3. Go to the installation folder of the Atlassian service and navigate to the Tomcat server.xml file. This is usually under <Installation_folder>/conf/. Find the Connector setting, and set proxyName to the domain name of the external URL you generated in Azure AD:

    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 <Connector port="8080" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;" proxyName="" scheme="https" secure="true" proxyPort="443" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false" maxHttpHeaderSize="32168" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" acceptCount="100" disableUploadTimeout="true" bindOnInit="false"/>
  4. Then also in server.xml, under <Engine> and <Host>, you can add an <Alias> tag with the external URL (this is nice if you encounter problems with the base URL mismatch):

    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 <Engine name="Catalina" defaultHost="localhost"> <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> <Alias></Alias> <Context path="" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true"> <Resource name="UserTransaction" auth="Container" type="javax.transaction.UserTransaction" factory="org.objectweb.jotm.UserTransactionFactory" jotm.timeout="60"/> <Manager pathname=""/> <JarScanner scanManifest="false"/> <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="120" /> </Context> </Host> <Valve className="org.apache.catalina.valves.AccessLogValve" pattern="%a %{}r %{jira.request.username}r %t &quot;%m %U%{sanitized.query}r %H&quot; %s %b %D &quot;%{sanitized.referer}r&quot; &quot;%{User-Agent}i&quot; &quot;%{j$ </Engine>

5. Restart the service for the Atlassian application. Now in our example, Jira should be accessible from, and you will have to preauthenticate to access Jira from the external URL. Users need to be specifically assigned to the proxy application to log in.


Set up Kantega SSO

You are now ready to set up Kantega SSO, either SAML or OpenID Connect (OIDC):
If you have already configured an Enterprise Application or App registration in Azure AD, you may also switch out the base URL in an existing configuration.