AWS IAM Identity Center (successor to AWS SSO) Integration Guide for Jira

Introduction

This document helps you configure IAM Identity Center to facilitate single sign-on (SSO) for Jira using SAML.

Topics

• Prerequisites

• Setup instructions

• Verification

• Troubleshooting

Prerequisites

You'll need the following to set up SSO access to Jira:

• Access to the IAM Identity Center console with permissions to manage applications.

• An Atlassian account with an Atlassian Access subscription.

• A organization within Atlassian.

• A verified domain within Atlassian

Setup instructions

1. On the Jira page in the IAM Identity Center Console, in the Details section, fill in the Display name, and the Description(optional) of the application.

Note

We suggest that you choose a unique display name if you plan to have more than one of the same application.

2. Download the IAM Identity Center Certificate.

3. Log into your Jira account as an administrator using the domain provided by Atlassian. (example: https://DOMAIN_NAME.atlassian.net/admin/accessconfig).

4. On the Left side, click Security then click SAML single sign-on.

5. On the configuration page, click Edit Configuration or Add SAML configuration.

6. For each of the following fields on the Configure SAML section, insert these values.

7. Copy the contents of the previously downloaded certificate.

8. Paste the contents into the Public x509 certificate field.

9. Click Save Configuration.

10. You can find the below referenced SAML ID as the last part of the SP Entity ID on the SAML single sign-on configuration page.

11. Go back to the IAM Identity Center Console.

12. For each of the following fields on the configure application page in the AWS Console, insert these values.

Field	Value
Application ACS URL	https://auth.atlassian.com/login/callback?connection=saml-SAML ID
Application SAML audience	https://auth.atlassian.com/saml/SAML ID
Application Start URL	Leave it blank
Relay State URL - You can use your organizion's URL from Atlassian or a specific Jira URL in here	https://DOMAIN_NAME.atlassian.net/secure/MyJiraHome.jspa

13. Click Save Changes.

14. Assign a user to the application in IAM Identity Center.

Verification

Use the following sections to verify the SSO integration.

Note

Ensure that the user performing the verification is logged out of both IAM Identity Center and the application before performing the steps in each section.

Verifying SSO from IAM Identity Center

1. Access the AWS access portal using the credentials of a user assigned to the Jira application.

2. In the list of applications, choose Jira to initiate a login to Atlassian.

3. If login was successful you will be signed-in to the Jira application.

Troubleshooting

If sign in was not successful, please see the troubleshooting steps.

Verifying Service Provider Initiated SSO from Atlassian

1. Access Atlassian using "https://DOMAIN_NAME.atlassian.net".

2. Type the credentials of a user assigned to the application in the IAM Identity Center console and a user which exists in Jira. Jira uses the email as unique identifier and this domain must be validated within Jira application first.

3. Choose Sign In.

4. On the Jira home page, verify that both Jira and IAM Identity Center are logged in with the same user.

Troubleshooting

If sign in was not successful, please see the troubleshooting steps.

Troubleshooting

Error	Issue	Solution
“Something went wrong while executing your request.”	It's possible that the Entity ID is incorrect	Make sure that the Entity ID from AWS is correctly inserted in Jira configuration.
“404

Please contact your System Administrator Resource not found.”|It's possible that the Identity Provider SSO URL from IAM Identity Center is incorrect in Jira SAML configuration |Make sure that the SSO URL from AWS is correctly inserted in Jira configuration.| |Other|When IAM Identity Center creates a SAML Assertion for a user, it uses the value of the 'email' and 'subject' fields (if they are present) from the connected directory to populate the 'Email' and 'Subject' attributes in the SAML assertion. Many service providers expect these attributes to contain the user's email address. By default your directory is configured to send 'windowsUPN' in both fields.|Your directory may be configured to contain the users email in the 'Email' attribute instead. If so, you may need to change this in your Connected directory settings. Additionally the 'name' attribute being sent to the provider should not be the user's email address, make sure that your attribute name is not mapping to an email.|

For general troubleshooting problems, please refer to Troubleshooting Guide.

User Provisioning Types

There are two user provisioning you need to aware of:

• Preprovisioned users

  Preprovisioned users, means users must already exist in the downstream SaaS application. For instance, you may need to create SaaS users with the same subject as the AD users.

• JIT users

  JIT (or Just-In-Time) users, means users do not necessarily exist in the downstream SaaS application, and will be provisioned/created/registered the first time the user federates. You may need to enable JIT option in your SaaS application for the AD domain.

User Provisioning

• Preprovisioned users Preprovisioned users, means users must already exist in the downstream SaaS application. For instance, you may need to create SaaS users with the same email as the AD users

• JIT users JIT (or Just-In-Time) users, means users do not necessarily exist in the downstream SaaS application, and will be provisioned/created/registered the first time the user federates. You may need to enable JIT option in your SaaS application for the AD domain.