Redirect rules

Redirect modes

Open

Redirect modes determine when Kantega SSO will attempt to send the user to the configured identity provider. The options are shown in the screenshot above.

Instant redirect

Instant redirect will immediately send all users to the identity provider without them being able to cancel the redirect. This is a good choice for redirect mode if all users should authenticate with the identity provider.

Auto redirect

Auto redirect will start the redirect progress bar for all users when they access the login page. The redirect progress bar will by default take 2 seconds to finish. When the progress bar is finished, the user is redirected to the identity provider. This is a good choice for redirect mode if all users should use the same identity provider, but you want to give users the option to cancel the redirect in case they need to log in with username/password.

Known domain, User directory, & User group

These three redirect rules are grouped together as they all behave similarly. They require that the user first enters their username and based on the username received, Kantega SSO will determine if they should be redirected to the identity provider or not. Known domain only checks the entered username so users should be instructed to log in with their email.

These redirect modes are intended to be used for the following situations:

• The users have different identity providers they should authenticate towards

• A subset of users should log in with username/password instead of authenticating towards the identity provider and you don’t want to force the users to cancel the automatic redirect.

Fallback

Fallback is a redirect mode that should be used in combination with another identity provider with Known domain, User directory, or User group as its redirect mode. If a user enters a username that does not match any identity provider then the fallback redirect will trigger.

None

No redirection is useful when users should manually select the identity provider by pressing its button instead of being redirected to it.

Other settings

Open

In addition to the redirect mode, the identity provider’s behavior can be further customized by the toggles shown in the screenshot above. Note that not all toggles are applicable for all redirect modes.

Handle not found

Applicable redirect modes: User directory, User group

"Handle not found” will redirect users to the identity provider if the username entered does not match a user in the instance. This is intended to be used for sending external users to a solution such as Azure B2C or External ID where they can sign up.

Note that this toggle can provide a worse user experience for users who already exist as mistyping their username can send them to the wrong identity provider.

Auto redirect

Applicable redirect modes: Known domain, User directory, User group, Fallback

“Auto redirect” will store the user’s username as a cookie and use it to redirect the user the next time they need to log in. This makes Known domain, User directory, and User groups behave more like Auto, while still having the smart user-based redirection.

Username to IdP

Applicable redirect modes: Known domain, User directory, User group, Fallback

“Username to IdP” will send the username entered on the login page as a parameter to the identity provider so the identity provider can prefill the username. This is convenient if the users use the same username for both the Atlassian instance and the identity provider.

Manual selection

Applicable redirect modes: All

When “Manual selection” is toggled for an identity provider, it will show up as a button for users to select on the Atlassian login page. The default button for an AD FS IdP named “AD FS” is shown below.

Logout page

Applicable redirect modes: Instant, Auto

Normally, Instant and Auto redirects will not trigger on the login page. “Logout page” allows you to override this behavior so users are sent straight to the identity provider when they log out.