Tutorial: Azure Active Directory integration with Atlassian Cloud
In this tutorial, you learn how to integrate Atlassian Cloud with Azure Active Directory (Azure AD). Integrating Atlassian Cloud with Azure AD provides you with the following benefits:
- You can control in Azure AD who has access to Atlassian Cloud.
- You can enable your users to be automatically signed-in to Atlassian Cloud (Single Sign-On) with their Azure AD accounts.
- You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before you begin.
To configure Azure AD integration with Atlassian Cloud, you need the following items:
- An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
- Atlassian Cloud single sign-on enabled subscription
- To enable Security Assertion Markup Language (SAML) single sign-on for Atlassian Cloud products, you need to set up Atlassian Access. Learn more about Atlassian Access.
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
- Atlassian Cloud supports SP and IDP initiated SSO
Adding Atlassian Cloud from the gallery
To configure the integration of Atlassian Cloud into Azure AD, you need to add Atlassian Cloud from the gallery to your list of managed SaaS apps.
To add Atlassian Cloud from the gallery, perform the following steps:
In the Azure portal, on the left navigation panel, click Azure Active Directory icon.
Navigate to Enterprise Applications and then select the All Applications option.
To add new application, click New application button on the top of dialog.
In the search box, type Atlassian Cloud, select Atlassian Cloud from result panel then click Add button to add the application.
Configure and test Azure AD single sign-on
In this section, you configure and test Azure AD single sign-on with Atlassian Cloud based on a test user called Britta Simon. For single sign-on to work, a link relationship between an Azure AD user and the related user in Atlassian Cloud needs to be established.
To configure and test Azure AD single sign-on with Atlassian Cloud, you need to complete the following building blocks:
- Configure Azure AD Single Sign-On - to enable your users to use this feature.
- Configure Atlassian Cloud Single Sign-On - to configure the Single Sign-On settings on application side.
- Create an Azure AD test user - to test Azure AD single sign-on with Britta Simon.
- Assign the Azure AD test user - to enable Britta Simon to use Azure AD single sign-on.
- Create Atlassian Cloud test user - to have a counterpart of Britta Simon in Atlassian Cloud that is linked to the Azure AD representation of user.
- Test single sign-on - to verify whether the configuration works.
Configure Azure AD single sign-on
In this section, you enable Azure AD single sign-on in the Azure portal.
To configure Azure AD single sign-on with Atlassian Cloud, perform the following steps:
In the Azure portal, on the Atlassian Cloud application integration page, select Single sign-on.
On the Select a Single sign-on method dialog, select SAML/WS-Fed mode to enable single sign-on.
On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration dialog.
On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
b. In the Reply URL text box, type a URL using the following pattern:
c. Click Set additional URLs.
d. In the Relay State text box, type a URL using the following pattern:
The preceding values are not real. Update these values with the actual identifier and reply URL. You will get these real values from the Atlassian Cloud SAML Configuration screen which is explained later in the tutorial.
Click Set additional URLs and perform the following step if you wish to configure the application in SP initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
The preceding Sign on URL value is not real. Update the value with the actual Sign on URL. Contact Atlassian Cloud Client support team to get this value.
Your Atlassian Cloud application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes, where as nameidentifier is mapped with user.userprincipalname. Atlassian Cloud application expects nameidentifier to be mapped with user.mail, so you need to edit the attribute mapping by clicking on Edit icon and change the attribute mapping.
On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click Download to download the Certificate (Base64) from the given options as per your requirement and save it on your computer.
On the Set up Atlassian Cloud section, copy the appropriate URL(s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Atlassian Cloud Single Sign-On
To get SSO configured for your application, sign in to the Atlassian portal with administrator credentials.
You need to verify your domain before going to configure single sign-on. For more information, see Atlassian domain verification document.
In the left pane, select SAML single sign-on. If you haven't already done so, subscribe to Atlassian Identity Manager.
In the Add SAML configuration window, do the following:
a. In the Identity provider Entity ID box, paste the SAML entity ID that you copied from the Azure portal.
b. In the Identity provider SSO URL box, paste the SAML single sign-on service URL that you copied from the Azure portal.
c. Open the downloaded certificate from the Azure portal in a .txt file, copy the value (without the Begin Certificate and End Certificate lines), and then paste it in the Public X509 certificate box.
d. Click Save Configuration.
To ensure that you have set up the correct URLs, update the Azure AD settings by doing the following:
a. In the SAML window, copy the SP Identity ID and then, in the Azure portal, under Atlassian Cloud Domain and URLs, paste it in the Identifier box.
b. In the SAML window, copy the SP Assertion Consumer Service URL and then, in the Azure portal, under Atlassian Cloud Domain and URLs, paste it in the Reply URL box. The sign-on URL is the tenant URL of your Atlassian Cloud.
If you're an existing customer, after you update the SP Identity ID and SP Assertion Consumer Service URL values in the Azure portal, select Yes, update configuration. If you're a new customer, you can skip this step.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
Select New user at the top of the screen.
In the User properties, perform the following steps.
a. In the Name field enter BrittaSimon.
b. In the User name field type firstname.lastname@example.org
For example, BrittaSimon@contoso.com
c. Select Show password check box, and then write down the value that's displayed in the Password box.
d. Click Create.
Assign the Azure AD test user
In this section, you enable Britta Simon to use Azure single sign-on by granting access to Atlassian Cloud.
In the Azure portal, select Enterprise Applications, select All applications, then select Atlassian Cloud.
In the applications list, type and select Atlassian Cloud.
In the menu on the left, select Users and groups.
Click the Add user button, then select Users and groups in the Add Assignment dialog.
In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the bottom of the screen.
If you are expecting any role value in the SAML assertion then in the Select Role dialog select the appropriate role for the user from the list, then click the Select button at the bottom of the screen.
In the Add Assignment dialog click the Assign button.
Create Atlassian Cloud test user
To enable Azure AD users to sign in to Atlassian Cloud, provision the user accounts manually in Atlassian Cloud by doing the following:
In the Administration pane, select Users.
To create a user in Atlassian Cloud, select Invite user.
In the Email address box, enter the user's email address, and then assign the application access.
To send an email invitation to the user, select Invite users. An email invitation is sent to the user and, after accepting the invitation, the user is active in the system.
You can also bulk-create users by selecting the Bulk Create button in the Users section.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Atlassian Cloud tile in the Access Panel, you should be automatically signed in to the Atlassian Cloud for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
We'd love to hear your thoughts. Choose the type you'd like to provide:
Our feedback system is built on GitHub Issues. Read more on our blog.