SAML single sign-on with Atlassian AccessSAML single sign-on is available when you subscribe to Atlassian Access. Learn more about Atlassian Access Show
About SAML single sign-onSecurity Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, such as an identity provider and a service provider. SAML for single sign-on (SSO) allows users to authenticate through your company's identity provider when they log in to Atlassian Cloud products. SSO allows a user to authenticate once and then access multiple products during their session without needing to authenticate with each. SSO only applies to user accounts from your verified domains. Learn how to verify a domain Once your users can log in using SAML single sign-on, you need to give access to your Atlassian products and sites. Learn how update product access settings and Learn how users get site access If you manage users for a site with Google Workspace, you'll need to use the SSO feature provided by Google Workspace. Learn how to connect to Google Workspace SAML single sign-on with authentication policiesWhen you configure SSO with SAML or Google Workspace, you'll need to enforce SSO on subsets of users through your authentication policies. Learn how to edit authentication settings and members Before you beginHere's what you must do before you set up SAML single sign-on.Subscribe to Atlassian Access from your organization. Learn about Atlassian Access security policies and features Make sure you're an admin for an Atlassian organization. Learn about Organization administration Verify one or more of your domains in your organization. Learn about Domain verification Add an identity provider directory to your organization. Learn how to Add an identity provider Link verified domains to your identity provider directory. Learn how to link domains Check that your Atlassian product and your identity provider use the HTTPS protocol to communicate and that the configured product base URL is the HTTPS one. Here’s what we recommend you do before you set up SAML single sign-on.Make sure the clock on your identity provider server is synchronized with NTP. SAML authentication requests are only valid for a limited time. Plan for downtime to set up and test your SAML configuration Create an authentication policy to test your SAML configuration . Add a user to the test policy. After you set up SAML, you can enable single sign-on for the test policy. Supported identity providersYou can use the identity provider of your choice, but some capabilities are only available with selected identity providers. Learn which identity providers we support The steps involved to set up single sign-on will differ depending on the identity provider you use. Refer to the setup instructions for your identity provider. Available SAML attributesWhen you set up your identity provider, these are the SAML attributes you use:
Copy details from your identity provider to your Atlassian organization
Copy these URLs from your Atlassian organization to your identity provider
Set up SAML single sign-on for other identity providersIf you use an on-premise identity provider, your users can only authenticate if they have access to the identity provider (for example, from your internal network or a VPN connection). Test SAML single sign-on configuration without authentication policiesIf you’re unable to see authentication policies, create a temporary Atlassian test account you can use to access your organization. Use an email address for the temporary account from a domain you have not verified for this organization. This ensures that the account won't redirect to SAML single sign-on when you log in. When you select Save configuration, we apply SAMLto your Atlassian organization. Because we don't log out your users, use these steps to test SAML configuration:
Confirm you're signed in. If you experience a login error, go to the Troubleshooting SAML single sign-on to adjust your configuration and test again in your incognito window. If you can't log in successfully, delete the configuration so users can access Atlassian products. Test SAML single sign-on with Authentication policiesAuthentication policies give you theflexibility to configure multiple security levels for different user sets within your organization. Authentication policies also reduce risk by allowing you totest different single sign-on configurations on subsets of users before rolling them out to your whole company. You may want to:
To test the settings for authentication, you'll need to configure and enforce SAML single sign-on. The following section provides instructions on how to do it. Configure and enforce SAML single sign-on with authentication policiesYou'll need to configure and save SAML and then enforce SAML single sign-on in an authentication policy. To configure SAML single sign-on from Authentication policies:
To enforce single sign-on:
Just-in-time provisioning with SAMLIf you’d like to provision users with SAML Just-In-Time, you must complete these two steps:
After you complete the steps, when a user logs in for the first time with SAML, we automatically create an Atlassian account for them and they are provisioned through SAML to your identity provider directory. Learn more about identity provider directories Link domains for Just-in-time provisioned users with SAMLIf you'd like to provision users with SAML Just-In-Time, you must link one or more domains to your identity provider directory. After you link a domain, we'll automatically associate the domain's user accounts to the directory. To link domains to a directory:
Learn about linked domains Just-in-time provisioning with Authentication policiesEvery organization has a default authentication policy with login settings for its users. We add new users to your default policy when you provision new accounts.
Learn more about authentication policies Troubleshoot email updates without just-in-time provisioning
Set up automated user provisioning and de-provisioningAutomated user provisioning allows for a direct sync between your identity provider and your Atlassian Cloud products. You no longer need to manually create user accounts when someone joins the company or moves to a new team. Automated de-provisioning reduces the risk of information breaches by removing access for those that leave your company. We automatically remove people when they leave the company or a group. This gives you control over your bill. Here are your options for user provisioning:
Deactivate users with SAMLTo prevent a user from retrieving your organization's data via the REST API, deactivate the user in both places – from your organization and your identity provider. If you also set up user provisioning for your organization, you only need to deactivate the user from your identity provider. SAML single sign-on with two-step verification and password policyWhen SAML single sign-on is configured, users won't be subject to Atlassian password policy and two-step verification if those are configured for your organization. This means that any password requirements and two-step verification are essentially "skipped" during the login process. We recommend that you use your identity provider's equivalent offering instead. Remove SAML single sign-onBefore you delete the SAML single sign-on configuration, make sure your users have a password to log in.
To remove SAML single sign-on:
We recommend you also delete the SAML configuration from your identity provider. When you delete SAML single sign-on, you still have a subscription to Atlassian Access. If you no longer need Atlassian Access you’ll need to cancel your subscription. Learn how to unsubscribe from Atlassian Access Troubleshoot your SAML configurationIf you experience errors in your identity provider, use the support and tools that your identity provider provides, rather than Atlassian support. Troubleshoot SAML single sign-on without authentication policies
If you're still having trouble, delete the SAML configuration to go back to password authentication with an Atlassian account. If you delete the SAML configuration, you can invalidate all your users' passwords in the password policy screen, which will prompt users to go through the password reset process for an Atlassian account password. Troubleshoot SAML single sign-on with authentication policies
If you want to delete a SAML configuration, make sure that none of your authentication policies use SAML single sign-on. If you want to prevent lockout for a user, you need to move the user to a policy that does not enforce SAML single sign-on. Troubleshoot your Public x509 Certificate errorsIf you experience certificate errors, try one of these steps to resolve your error:
Troubleshoot other errorsInclude the SAMLRequest and SAMLResponse payloads you can find from the SAML Tracer Firefox app when you submit a support ticket. We can more quickly identify potential causes of issues.
Frequently Asked QuestionsCan I get SAML single sign-on for domains that I can't verify?No. To keep products and resources secure, you can only use SAML single sign-on with domains you can verify that you own. How do I change the user's full name?You can update the user's Full name by updating the first and last names in your identity provider's system. The updated name will be synced to your organization when the user next logs in. How does authentication with REST APIs work?We recommend that your scripts and services use an API token instead of a password for basic authentication with your Atlassian Cloud products. When you enforce SAML, your API tokens and your scripts will continue to work. Learn more about API tokens What are the main features that differentiate the test access point tap from a switched port analyzer span )? Select all that apply?What are the main features that distinguish a Test Access Point (TAP) from a switched port analyzer (SPAN)? (Select all that apply.) A test access point (TAP) is a hardware device that copies signals from the physical layer and the data link layer, while SPAN (switched port analyzer) is simply ports being mirrored.
What term is used for a means of authentication based on what the users have?Multifactor authentication combines two or more independent credentials: what the user knows, such as a password; what the user has, such as a security token; and what the user is, by using biometric verification methods.
Which describes the function of account passwords?A password is a string of characters used to verify the identity of a user during the authentication process. Passwords are typically used in tandem with a username; they are designed to be known only to the user and allow that user to gain access to a device, application or website.
Which of the following methods allows subjects to determine who has access to their objects?Discretionary Access Control (DAC) –
DAC is a type of access control system that assigns access rights based on rules specified by users. The principle behind DAC is that subjects can determine who has access to their objects.
|