This article will show you how to configure SAML for Atlassian Cloud application in Teamstack.

Your users can log in to Atlassian products, like Jira Software or Confluence, via SAML using their Teamstack credentials. This will give you the advantage to manage all your organizational apps from one place and to control access via MFA for all of your users.

You need to have an Atlassian Access subscription and a verified domain for SAML to work with Atlassian Cloud.
Also keep in mind that SAML login only works for users if their email address has a verified domain in Atlassian Access.

Requirements:

  • Atlassian Access subscription
  • Verified domain in Atlassian

Features:

  • Atlassian Cloud (SP) initiated Single Sign-On
  • Teamstack (IdP) initiated Single Sign-On
  • JIT (Just In Time) Provisioning

Set up SSO via SAML for Atlassian Cloud

To set up SSO you first need to add Atlassian app to Teamstack, assign it to yourself and then configure Atlassian Access SSO with the SAML settings from Teamstack.

Step 1: Add Atlassian Cloud app to Teamstack

  1. Go to your Applications in Teamstack.
  2. Click "Add Application" in the top right corner. 
  3. Search for Atlassian Cloud" and click "Add".
  4. Select this app to be a "SAML" app, leave the configuration inputs empty (you will add them later).
  5. In Organization's Applications overview, click on the newly created Atlassian app. You will see all the details about this app.
  6. Click on "Users" and assign this app to yourself. You will need this in order to test whether SAML is working correctly for Atlassian Access.
  7. Click on the "SAML Configurations" tab. Keep this page open, you will need these values once you configure the SAML settings in Atlassian Access.

Step 2: Set up SAML in Atlassian Access

Generally, users can only log in via SAML if the email address has a verified domain in Atlassian Access.
Also you either need to allow access without an invitation or users must log in with an account that exists. Check the "Just In Time Provisioning" section below to learn more.

Once you enable SAML, users will not be able to log in directly with username and password anymore. So plan ahead in order not to interrupt your users.

To enable SAML, you need to have a subscription to Atlassian Access and do the following steps:

  • Go to https://admin.atlassian.com and select an organization for which you want to enable the settings.
  • In the left side panel, click on "Security" -> "SAML single sign-on" -> "Add SAML configuration".
  • You need to copy the settings from the step 1.7 above as follows:
    - Copy "Issuer (IDP Entity ID)" and paste it to "Identity provider Entity ID"
    - Copy "Sign-in Page URL" and paste it to "Identity provider SSO URL"
    - Copy the "Identity Provider Certificate" (make sure to copy everything) and paste it to "Public x509 certificate"
  • Click "Save Configuration"

Once you added the SAML settings to Atlassian Access, you need to copy two values from Atlassian to Teamstack:

  • Go to Atlassian app in Teamstack and click on the "Edit" button on the application view page.
  • Copy the value "SP Entity ID" and "SP Assertion Consumer Service URL" to the corresponding inputs.
  • For the "Relay state" input, enter: "https://{{YourSiteName}}.atlassian.net/" and replace {{YourSiteName}} with your Atlassian site name.
  • Click "Save"

Test:

You can now test the login from Teamstack to Atlassian Cloud. You need to have Atlassian Cloud assigned to yourself in Teamstack (the step 1.6 above). The email address must be the same for both Atlassian and Teamstack accounts. To test the connection, do the following:

  • Open a new incognito window
  • Log into Teamstack
  • Click on the Atlassian Cloud app on your dashboard
  • You will be redirected to Atlassian Cloud and will be logged in without the need to enter a password at Atlassian Cloud.

Note:

  • SAML SSO only works for accounts that have email addresses with a verifed domain in Atlassian Cloud.
  • Every user who wants to log in will need to have an account in Atlassian Cloud. Otherwise you should enable Auto Provisioning.
  • Whenever your users are not logged in, they will be redirected to Teamstack for login (SP initiated Single Sign-On).

Set up JIT (Just In Time) Provisioning:

You can opt in to automatically create new user accounts in Atlassian if a user only has a Teamstack account. You can also select which Atlassian products the user will get access to in Atlassian:

Allow users from a verified domain to log in:

  • Go to https://admin.atlassian.com/ and click on the site you want to change the settings for.
  • In the left side menu, click on "Site access" and check "Approve the following domains". Enter your verified domain name.
  • Click "Save"

Select products that users will get access to:

  • In the site settings, select "Product access" in the left side menu. Toggle on every product that new users should have access to.

Did this answer your question?