Entra ID | SAML

1. Display name

Choose a name for your identity provider. This is the user-facing name, so choose a name your users will recognize. This value can be changed later.

image-20240105-131619.png

 

 

2. Redirect Mode

Select how the user will be redirected to the identity provider. You may configure more redirect modes after completing the setup.

3. Prepare IDP

In this step, you will configure Entra ID to work with Kantega SSO. For this, you will need to copy the Reply URL provided. You will use this when setting up Entra ID.

 

 

Configure Microsoft Entra ID

external

If you are using SCIM with your provider, make sure to check out the documentation for configuring this before proceeding. It might be that you need to configure this first or at the same time as setting up SAML.

Sign in to the Azure Portal, navigate to Microsoft Entra ID> Enterprise applications.

If you have already configured SCIM, you should skip creating a new app and use the one you have already configured.

Set up a new application. You can use our templates from the gallery by searching for “kantega” and follow the instructions.

Select the appropriate template and click Create

 

Navigate to Single sign-on and select SAML as the single sign-on method.

 

Edit the Basic SAML Configuration and insert the Reply URL from Kantega SSO in the required fields Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL).

 

 

You should then end up with something looking like this.

 

 

Under the SAML Signing Certificate, copy the App Federation Metadata Url.

 

Go back to the Kantega SSO wizard.

4. Metadata

Paste the App Federation Metadata Url from the previous step into the Metadata XML file published online (URL).

5. Redirect URL

The Redirect URL should be imported automatically from the metadata document. Use the Set up Kantega SSO for JIRA > Login URL from Entra IDif this does not happen.

6. Certificate

The Redirect URL should be imported automatically from the metadata document. If this does not happen, you will be prompted to upload a certificate. This can be found under SAML Signing Certificate > Certificate (Base64).

 

7. Summary

Check that everything looks good and submit your setup

 

 

Test

Test that logging in with Entra ID works as expected. This will help identify if there are any issues with the configuration. Follow the steps to perform the login test.

 

Optional: Using IdP initiated login

You may also access the Jira, Confluence, Bitbucket or Bamboo site you have configured through so-called IdP initiated login when SAML is set up. IdP initiated login is when the login flow starts directly in the identity provider instead of first going to Jira, Confluence, Bitbucket or Bamboo.

The login link for this you will find in Entra ID as the User access URL (see below screenshot):

Optional: Get group claims for user

Follow this guide to get group claims for user in the SAML login:

https://kantega-sso.atlassian.net/wiki/x/3IBWAw

Optional: Get sAMAccountName from SAML login

You may in some situations need the sAMAccountName username format during the SAML login. Follow below guide to set this up.

Changes to the SAML login configuration

To make the SAML response from Microsoft Entra ID return the attribute to Kantega SSO during login. To do this, go to Single sign-on, edit the User Attributes & Claims and add a new claim with the attribute onpremisessamaccountname. In the example below, we named the claim sAMAccountName, and this can now be used as the Username attribute in the User lookup configuration in Kantega SSO.

After this change, do a test login in Kantega SSO and set the Custom username attribute to sAMAccountName (see below illustration):