Configure Single Sign-On (SSO) for Atlassian Cloud

This document provides a step-by-step guide for setting up SSO Configuration for Atlassian. It allows users to sign in to Atlassian services using their OneIdP credentials and securely access these services.

Pre-requisites

The Custom Domain for which you are authorizing should be verified through OneIdP.

1. Users belonging to the custom domain should be added to the Scalefusion Dashboard and migrated to OneIdP.

2. IT Admins should have access to the Atlassian Admin Console.

3. Users should be added to the Atlassian portal.

Create SSO Configuration for Atlassian

1. Sign in to Scalefusion Dashboard and navigate to OneIdP > SSO Configuration

2. Click on the New SSO Configuration button on the top right.

3. Once you click New SSO Configuration, the following window will pop up. Select Atlassian and click Configure

4. This opens the SSO Configuration wizard with the following tabs on the left panel:

   a. Application Basics

   b. SSO Scope Management

   c. Permissions

   d. SSO Settings

   e. Conditional Access

   f. User Facing Messages

Navigate to each tab and enter the required details. You can navigate to the next tab only after you have entered the complete details in the current section. All are explained in detail below.

Application Basics

Configure basic application details by entering the following:

1. Enter Application Name: Enter a name for your App which will be an identifier for your configuration. The name must be at least 5 characters long. The maximum allowed length is 128 characters.

2. Select Hosting Type: This will be pre-selected as Cloud

3. Select Domains: All the custom domains you have configured and verified using OneIdP, will be listed here. Select the domain(s) which you want to be SAML SSO enabled.

4. Enter Login URL: Provide the URL that you use to sign in to that service.

5. Once you have entered all details click Next

SSO Scope Management

With SSO scope management you can configure the procedure for managing the users who will be accessing this application. It allows how SAML settings for the users are going to be managed. The following are the settings:

User assignment 

SSO Configuration would allow only assigned users to access the app. Choose one from the following options:

1. Allow all users imported to Scalefusion to access the application: All users (belonging to the domain) imported to Scalefusion and migrated to OneIdP will be allowed to access the application.

2. Allow only assigned users to access the application: Only the user(s) whom you have assigned the SSO configuration, will be allowed to access the application. With this option, after the SSO configuration is created, you need to manually select and assign the users.

   1. Revoke access for all users once when the configuration is saved: If this is checked, the access is revoked from the users who are currently assigned to the configuration. As a result, it will invalidate all user sessions and logout users from their current running session.

Enforcement Rules 

From here, you can configure and enforce to users at what point in time SSO Configuration should invalidate the current session and logout users. The following options can be selected:

1. Immediately on User Assignment and post grace period if applied: Once SSO configuration is assigned to the user

2. Immediately on User Un-Assignment: When the user is unassigned the SSO configuration

3. Immediately on Deleting this configuration: When SSO configuration is deleted from Scalefusion Dashboard

Permissions

Here, you do not need to grant any additional permissions. Click Next to go to the next step.

SSO Settings

This section allows admins to configure the Service Provider (Atlassian) settings and obtain the SSO URLs that will be added to the Atlassian portal.

Configure SSO Settings on the Atlassian admin console

On the Atlassian Admin Console, follow these steps:

1. Login to the Atlassian admin console and navigate to Security > ‘Add another domain’ - add your company domain > ‘Verify your domain’ on Atlassian’s Admin console.

2. Click on ‘Connect your identity provider’:

3. Select ‘Other provider’. Give a Directory Name and Click on ‘Add’:

4. Click on Set up SAML single sign-on:

   

5. Create the SAML Configuration:

   - Copy ‘OneIdP Entity ID/Issuer URL’ from Scalefusion Dashboard to ‘Identity provider Entity ID’ on Atlassian’s Console

   - Copy ‘OneIdP SSO URL’ from Scalefusion Dashboard to ‘Identity provider SSO URL’ on Atlassian’s Console

   - Download the ‘OneIdP Verification Certificate’ from the dashboard, open the file, and copy and paste the complete text into ‘Public x509 certificate’ on Atlassian’s Console

   - Click on ‘Next’

5. Navigate to ‘Update your authentication policy’ on the Security Tab, The Policy created will start showing here. Click on ‘Edit’ for the policy which is created:

6. Toggle on the ‘Enforce single sign-on’ option and add Members from the ‘Members’ tab:

7. Navigate back to ‘Claim your user accounts’ on the Security Tab > Click on ‘Claim accounts‘ for your domain > Click on ‘Next’ > Select ‘Claim all accounts’ and ‘Next’ > Click on ‘Automatically claim’ and ‘Next’ > Finally Click on ‘Claim accounts’

   This setting will automatically claim new accounts that match your domain.

Conditional Access Settings

Device Policy

1. For Android, iOS/iPad OS, Windows & macOS, Linux, and Chrome OS: Choose one from the following two conditions:

   1. Only if the device is managed by Scalefusion: The application will be accessible only on devices managed (enrolled) by Scalefusion.
      

   2. If the device is managed by Scalefusion or an OTP using the Scalefusion Authenticator app from a managed device: The application is accessible if any of the following conditions are met:

      1. Device is managed by Scalefusion: If the device is managed you will not be asked to enter OTP for authentication, or

      2. If the device is unmanaged, OTP is required for authentication. OTP can be taken from the Authenticator app installed on a Scalefusion-managed device.

   3. Allow users to access by setting up MFA using a third-party authenticator app or OTP sent by email: This option is activated only when Multi-factor Authentication is enabled in Directory Settings.
      Note: The left side panel is for configuring Device Policy on Android & iOS/iPad OS and the right side is for Windows & macOS and Linux, ChromeOS below them. Hence, you can configure separate device policies based on the platform.
      
      
      

Browser Policy

From here, you can select one or more browsers and specify the minimum versions on which you want to allow access to the application. The following are the options:

• All Browsers

• Google Chrome with minimum version

• Microsoft Edge with minimum version

• Safari with minimum version

• Mozilla Firefox with minimum version

Important Points on Browser Policy:

1. By default, all browsers are allowed.

2. Only major versions are validated. For eg. if you mention browser version: 23.5.8.10 then the respective browser with a minimum major version(23) will be allowed. After configuring Device Policy and Browser Policy, click Next
   

Access Exceptions

From this section, you can configure the exceptions where the users are allowed to access the applications even if the conditions are not met. In general, these exceptions will be useful or address scenarios where :

1. IT Admins have set up Android Enterprise using Google Workspace Or

2. IT Admins have set up Apple User Enrollment with ABM/ASM federated to Google Workspace

Following are the exceptions that can be configured:

1. Enrollment Exceptions

   1. Allow users to access the application till they enroll their first device: Allows users to access the application till they enroll at least one device. This option is helpful in conditions where the enrollment steps require them to authenticate with the service provider. With this, you can also configure the following:

      1. Maximum sessions allowed per user: Configure no. of sessions that should be exempted. It can range from 1 to 3. Ideally, 1 session per user is recommended.

      2. Configure the OS where the exceptions are applied: Select the platform(s) on which this exemption would be allowed to users.

2. User Exceptions
   Here you can add the users who are always exempted from the conditions and will never be asked to manage their device. Enter comma-separated email addresses of users or click on Add Users on the right and in the new window, select the users who should be exempted.
   Note: These users still need to sign in with their OneDirectory credentials if they fall under the SSO Scope, however, the conditions will not be enforced.
   
   

User Facing Messages

User Facing Messages helps admins configure messages that end users may be shown when they are unable to access the application if any of the compliance conditions are not met. You can configure messages under the following:

• Configure Instructions for a Non-Compliant Device: This message is shown when the device is not compliant and needs to be enrolled in Scalefusion

• Configure Instructions for a Non-Compliant Browser: Shown when the browser is not compliant as per configurations

• Configure a Message to be displayed when Access is Denied: Any other cases where access to the application is denied.

There are some pre-configured messages displayed on the Dashboard which you can edit as per requirement.

After configuring user-facing messages, click on Save

The SSO configuration is created and listed on the SSO Configuration page as a separate card with the name you have defined. You can create multiple SSO configurations in the same manner.

User Login to Altassian after SSO Configuration

1. Go to your Atlassian Cloud URL

2. Here you will be either asked to enter the username or Login with SSO Account link which will redirect you to OneIdP page to authenticate.

3. After entering credentials, click on Sign In.

4. You should be logged in into Atlassian.

Synchronizing Users Between Scalefusion and Atlassian

To ensure integration between Scalefusion and Atlassian, you'll need to synchronize user accounts. Follow these steps to add any new users added on Scalefusion, to the Atlassian portal:

For attribute mappings locate back on Scalefusion Dashboard select ‘Custom Attribute’ and add the following attributes:

Attribute Key 1: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Attribute Value 1: $user.last_name

Attribute Key 2: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Attribute Value 2: $user.first_name

Now, when you try to log in to Atlassian with the user credentials, the same user will automatically get added to the Atlassian portal.