Atlassian Cloud now supports SCIM, for configuration information, see Atlassian's Configure user provisioning with Okta. If you need further information, contact Atlassian Support at support@atlassian.com.
The Okta/Atlassian Cloud SAML integration currently supports the following features:
For more information on the listed features, see the Okta Glossary.
You only need to set up SAML once even if you have two different Atlassian Cloud tenants (for example, one for Jira and one for Confluence) as long as your users have the same email address associated to both.
Then do the following:
Create an organization. See Set up an Atlassian organization.
Verify one or more domains, to confirm you own them. See Verify a domain for your organization. When you verify a domain, all the Atlassian accounts that use email addresses from the verified domain become managed by your organization.
Subscribe to Atlassian Access.
Before configuring SAML single sign-on, create an Atlassian account that you can use to access your organization even if SAML has been mis-configured.
This account:
You must not use an email address from a domain you have verified for this organization. This ensures that the account won't redirect to SAML single sign-on when you sign in.
Must be given both site admin and organization admin access.
Log in to https://admin.atlassian.com as an administrator.
Select your organization, then select Security > Identity Providers.
Select Okta from the list of providers.
Select your Directory.
Under Authenticate users, select Set up SAML single sign-on. This opens the SAML configuration wizard.
On the Before you begin step, click Next.
On the Add SAML details step, enter the following:
Identity provider Entity ID:
Sign in to the Okta Admin Console to generate this variable.
Identity provider SSO URL:
Sign in to the Okta Admin Console to generate this variable.
Public x509 certificate:
Sign in to the Okta Admin Console to generate this variable.
Click Next.
On the Copy URLs to your identity provider step, copy your Unique ID value from the SP Entity ID field.
For example, if your SP Entity ID is https://auth.atlassian.com/saml/a1b2c3d4, your Unique ID is a1b2c3d4
Click Next.
On the Link a domain to your identity provider directory step, select your Domain to link.
On the Save and continue step, click Stop and save SAML.
In Okta, select the Sign On tab for the Atlassian Cloud SAML app, then click Edit:
SAML Attributes (optional):
By default Okta supports the following SAML attributes that are mandatory for JIT:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
You can configure additional attributes and their values (mappings) under the Attributes (Optional) section of SAML.
Enter your Unique ID value (step 8) into the corresponding field.
Jira Base URL: Enter your Jira Cloud base URL.
For example: https://[your-subdomain].atlassian.net
Confluence Base URL: Enter your Confluence Cloud base URL.
For example: https://[your-subdomain].atlassian.net/wiki (append /wiki to the end of the URL to land on the Confluence dashboard upon signing in).
Statuspage Base URL: Enter your Statuspage base URL.
For example: https://manage.statuspage.io
Click Save.
Done!
The following SAML attributes are supported:
| Name | Value |
|---|---|
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | user.firstName |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | user.lastName |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name | user.id |
Go to: https://[your-subdomain].atlassian.net
Enter your email, then click Continue.