With the release of EasySSO 4.0+, configuration of oldEasySSO EasySSO with SAML has been simplified.
Configure your Identity Provider (IdP)
Start by configuring SSO on your identity provider's side as this process often generates information needed for the EasySSO configuration. To help you with this we have guides for the following common IdP providers.
- EasySSO SAML with ADFS
- EasySSO SAML with Azure AD
- EasySSO SAML with G Suite
- EasySSO SAML with PingOne
- EasySSO with SimpleSAMLphp
Please note: EasySSO completely ignores Name ID sent as the part of Subject in SAML response and instead looks for the username in the attributes using UID Attribute name configured in the EasySSO GUI. Also, to provision a new user EasySSO requires the Email Address ("urn:oid:0.9.2342.19200300.100.1.3"), Display Name ("urn:oid:2.16.840.1.113722.214.171.124") or both givenName and surname ("urn:oid:126.96.36.199" and "urn:oid:188.8.131.52"). Your IdP may need to be configured to have these sent.
Obtain EasySSO from the Atlassian Marketplace.
If you have no Internet connectivity: Obtain an EasySSO license from the Atlassian Marketplace and install the license via the Universal Plugin Manager (UPM).
If you have Internet connectivity: In the UPM you will be asked for your email and password to the Atlassian Marketplace. Enter these and the EasySSO license will be added automatically.
- Once installed click Configure in UPM to proceed to the configuration wizard. You can also arrive to this screen by clicking EasySSO link under "TechTime Add-Ons" section usually located in the left panel of the Admin screen.
- Click SAML and check the 'Enable SAML' checkbox.
SAML configuration in EasySSO is typical for SAML add-ons. At a minimum, EasySSO requires you to configure the:
In the SAML tab
IdP POST Binding URL
UID Attribute. Good candidates for user ID are "urn:oid:0.9.2342.19200300.100.1.1" for uid or "urn:oid:0.9.2342.19200300.100.1.3" for the email address.
Default Groups for Auto-created users e.g. jira-software-users or confluence-users. The application access group/s granted to the user on their first login if the user needs to be created. Pre-existing users are not added to any groups on login.
In Certificates tab
IdP Token Signing Certificates. There are several methods to load these:
- URL - Enter your IdP Metadata URL then click on "Load Certificate" to retrieve the metadata and parse certificate(s) automatically.
- Upload - select the Upload radio button, upload the metadata file, the certificate(s) will parse automatically
- Input - You can copy/paste your metadata directly into the field as text then click <Parse Certificate>
- Alternatively, if you have obtained the certificate as a text file - open it up in any text editor and copy/paste directly into the certificate field
- Press Save.
Additional EasySSO configuration
The following additional configuration is available for EasySSO.
In the SAML tab
Acceptable time skew tolerance in seconds - SAML messages include timestamps that instruct the Service Provider (EasySSO) to limit acceptance of the messages to prevent replay attacks. When IdP and SP server clocks differ it is possible to configure a tolerance value here.
Create user on successful login checkbox.
IP Filter. If present, only users whose IP address matches this filter will be offered SAML. Empty whitelist will all any IP address. You can enter single IP address (for the reverse proxy), a comma-separated list of IP Addresses, IP address range e.g. 192.168.0.1-192.168.0.10, or network in CIDR notation.
IP Blacklist. If present, users whose IP address matches this filter will be ignored by SAML. Please note if an IP address is both whitelisted and blacklisted - it will be considered whitelisted.
Excluded Paths. Any URI path you wish to exclude from filtering. Please enter the URIs separated by commas.
Using IP filters
EasySSO takes a declarative approach to SSO - relying on the ability of sysadmin to “segment” the network by IP address, IP ranges or IP networks in CIDR notation. This allows one to configure different SSO methods for different segments of the network. Often this is done based on the reverse proxy IP as opposed the client IP itself.
In this context of SAML, the usual approach is to configure Kerberos/NTLM SSO to only be available to the internal segment of the network (this is done via Advanced/IP Filtering screen) and configure SAML for the external segment i.e. a user would get either Kerberos/NTLM or SAML.
In Look and Feel tab
The Look and Feel tab of the SAML configuration screen allows you to select the SAML login button placement, colouring, button text, and redirect message text. If the button is enabled, no automatic redirect will be done, but instead the user will be expected to click on the button explicitly i.e. they are given a choice to login via SAML or using the built-in form authentication.
Here is an example of a SAML login button next to the Login button with the default look and the custom name "SAML Super Login".
As an alternative, here is an example with the same custom button text - this time with the SAML login button above to the Login fields with the highlighted look.
If you are not using the SAML Button, and need to temporarily suppress the automatic redirect to the IdP in order to login using the standard username and password form (such as when you need to reconfigure or disable EasySSO) add ?stopsso=true parameter to your URL.
|Page Details Macro|
EasySSO for JIRA, Confluence, Bamboo, Bitbucket and Fisheye/Crucible
|Documentation Area Macro|
|How to configure SAML in EasySSO|