25 min read

The Journey to SSO, Part IV: A Killer Implementation of SAML Single Sign On with Jira and Confluence Data Center 

By resolution on Mar 22, 2021 7:33:45 PM

Blogpost-display-image_Resolution Blog Series, Pt. 4Congratulations on reaching the final destination in our very special journey to combine frictionless Atlassian applications with enterprise security! If you haven’t yet, you can have a look at the first article on the symptoms that your company needs a single sign-on solution and the second part on the existing opportunities to implement Identity Providers with your current infrastructure. 

With the goal of identifying realistic solutionsithe third article we reviewed the top SSO requirements for Atlassian Data Center applications:  

  • Are usernames consistent across user directories? 
  • Are there multiple sources of identity? 
  • Do you need to centralize user management on your Identity Provider? 
  • Is there a need to automate user activation and deactivation? 

Then, we mapped possible responses to competing alternatives so that you could tell when Data Center SAML could do the job, and when it would be better to look for an alternative in the Marketplace. Go back to our detailed comparison if you want to dive into the enterprise customization options! 

In the following two articles we will see the four requirements come together in a killer implementation of resolution’s SAML SSO. Let’s follow the steps of ACME Services Ltd! 

ACME is (obviously) an imaginary company based on the hundreds of customer implementations that our support team has guided to completion. 

The starting point  

  1. As part of a larger effort to centralize user management in a central team, the company ACME Services has decided to migrate their Jira and Confluence users from a local Active Directory where users login locally with username and password to Azure AD SAML SSO will be used to connect with the Atlassian applications. 
  2. ACME works for specific technology projects with Contractor Unlimited, a large consulting firmConsultants will need access to ACME’s Jira and Confluence applications with their existing Contractor accounts, hosted in Okta. 
  3. Obviously, only the contractors assigned to projects can have access, which should be revoked as soon as their assignment concludes. This step will be shown in an upcoming article. 

Note: While the scenario includes both Jira and Confluence, we will only cover the implementation in Jira as an example. Keep in mind that the steps are virtually identical for both applications! 

1. The migration from the local AD to Azure AD 

Username transformation with User Sync

Challenges 

  1. Usernames sent from Azure AD are different to the local Atlassian usernames:  first.lastname@acme.com versus first.lastname 
  2. ACME has a central IT department separated from the team of Atlassian admins, and collaboration between both teams usually takes time. To increase the speed of the implementation, it has been decided to transform usernames on the Atlassian application. 
  3. Users from Jira must be first migrated to Azure AD, since it’s a historic instance with thousands of existing tickets. 

Prerequisites 

In this guide we will focus on the critical tips and tricks, but will assume that you already have a basic working configuration that includes: 

  1. Creating a User Sync connector for Azure AD following the Configuration Guide for Azure AD. Do not sync yet! It's best to wait until the implementation is complete. 
  2. SAML SSO configured with your Azure ADHere is the guide 
  3. Having read, understood and followed our guide on how to migrate the Jira/Confluence internal directory to User Sync to retain user history, groups, etc. 

It’s convenient to configure User Sync and SAML SSO in this order so that you can select an existing User Sync connector to provision your users during the SAML SSO setup. 

Important note: Migrations can be messy, so it’s fine to recognize it if you have trouble solving the 3 prerequisites above. Don’t be afraid to ask for help either Praecipio or resolution –we regularly host free screenshare sessions with our customers to get their SAML SSO implementation ready for production! 

Implementation steps 

In this walkthrough, we’ll implement username transformations on both the SAML SSO login process and the User Synchronizations via API. You may we wondering why the transformation must be completed on both sides. We asked one of our engineers, and here's what he said: 

"What happens when the SAML SSO app searches for a user during login and the user is not found? That the login will fail. That's why you need to keep the transformations consistent on both sides. If User Sync creates username “example” stripping the email domain that is stored in Azure AD, and then SAML SSO searches for a user called example@domain.com without stripping the domain before looking it up, it will fail to find the user. 

  1. First, let’s instruct the User Sync Connector to copy user attributes from the local directory into Azure AD whenever a user is createdYou can find this in the advanced settings of the Azure AD connector you have just created. copy behavior
  2. Now we need to configure how usernames will be transformed as they are synchronized into Jira/Confluence from Azure AD
    • Go to Attribute Mapping in the advanced User Sync settings, and click on Edit for the username row Username mapping
  • Now it’s time to add the transformation. Here’s the regex example that would do the job of transforming elon.musk@acme.com into elon.musk: 

Regular expression: ^(.*)@.*$ 

Replacement: $1 email domain stripping

  • As in the example above, you should test with a real user whether the transformation works. 

    3. Now we need to configure the same transformation in SAML too. 
  • Go to Identity Providers User Creation and Update > Attribute mapping and click on Edit for the Name ID / username row username mapping SAML
  • Use the template from the dropdown to strip the email domain no code transformation templates
  • Click apply and save your SAML configuration. no code email domain stripping

Note: The no-code option to strip the email domain from a dropdown will be included in the upcoming release of User Sync, both as a standalone and as a feature of the SAML SSO apps. 

             4. Finally, ACME must change the priority order of the user directories, so that the User Sync dir
ectory is above the local one. To do this, go to User Management> User Directories in the admin section of Jira, and move the Azure AD directory to the top.directory rank 
  1. Connecting users from multiple organizations into the same Jiramulti-IdP setup

After the initial setup, Contractor Unlimited (CU.com) need access to Jira/Confluence. Since they also want to use SSO connected to their Okta, a new UserSync connector is configured for Okta. 

Challenges 

  • Implementing the most appropriate method of combining both Identity Providers (IdPs) 

The final decision is that Okta should be triggered based on the Contractor Unlimited email domain. An alternative would be to show an IdP selection page where users can select whether to log in with Azure AD or with Okta. However, the central identity team at ACME prefers the ACME login to be a more branded experience without a reference to Contractor Unlimited’s Okta. 

Prerequisites 

  • Setup Acme's SAML SSOnow with the Contractor Unlimited's Okta instanceFollow this guide. 
  • Configure a User Sync connector with their OktaFollow this guide. 

If you want to know more about the different IdP selection methods, you can watch this video tutorial. 

Implementation steps 

  1. Go to SAML SSO > IdP Selection 
     IdP Selection tab
  2. In the dropdown, choose select IdP by Email Address     IdP Selection by Email Address
  3. Now, let’s create a new rule item so that CU.com emails are routed to Okta for authentication add email rule
  4. In the rule, we’ll add the domain in the corresponding field. In this case, cu.com becomes cu\.comOkta email rule
  5. Now, let’s test the email of any contractor to check whether the rule is triggered.  test Okta email rule
  6. Let’s now repeat steps 3-5 for acme employees and Azure AD. The result should look something like this: email rules okta azure ad
  7. Finally, ACME decides to tweak the selection page a little bit so that it has the right look and feel
    To do that, they go to the page templates section of the SAML SSO configuration
     Page Templates tab
    and navigate to the IdP Selection By Email Page Template (2nd template) Selection Page Velocity Template
  8. And that’s how it looks like for them by simply changing the font and adding their logo!customized login page 

To be continued: Setting up an automated process to provision and deprovision consultants. 

At this point, CU employees have access to ACME's Atlassian tools. The door is open. But ACME still has to make sure that it the door can be closes so that only CU.com contractors who are actually needed can get in. 

In the next and final article of the series, we’ll look at how to set up an automated process for onboarding and offboarding contractors so that they always have access when they need it, and they immediately lose it when their project is over. Without manual work, and without any bottlenecks. 

Stay tuned!

Topics: blog optimization security resolution identity-management
10 min read

The Journey to Atlassian SSO, Part II:  Make an Inventory of Identity Assets

By resolution on Feb 3, 2021 7:56:53 PM

Blogpost-display-image_The journey to Atlassian SSO, part II- Make an Inventory of Identity Assets

Praecipio Consulting has partnered with our friends at resolutionan Atlassian Gold Marketplace Partner based in Germany that specializes in software development and network security, to bring you a series of blog posts about how to successfully implement single sign-on (SSO) with Atlassian tools. With more than 7 million users from 58 countries, resolution is the market leader for Atlassian Enterprise User Management Apps.

In the last article, we offered an overview of the most common pain points that can be felt across an enterprise when no single sign-on (SSO) solution has been implemented – or when it doesn’t extend to important corporate software like Atlassian tools. 

Now you understand that without SSO, end users will stick to bad passwords habits.  

Your Help Center will be flooded with password recovery requests.  

And, to the despair of your security experts, your admins will keep forgetting to deactivate former employees from Jira’s internal directory. 

So, what are you going to do about it? 

Luckily for you, we are laying the grand journey to SSO before your eyes. In this, article we’ll show you the exact steps to take inventory of your existing identity resources. Once the inventory is completed, outlining the implementation project and choosing the SSO vendors should be straightforward. 

The journey to Atlassian SSO, part II- Make an Inventory of Identity Assets-blog

 

Step 1: Take inventory of web applications 

What software do your employees use? Completing an inventory of all the B2B apps used in your organization is easier said than done.  

By some accounts, employees used an average of 191 accounts in 2017; but about half of the workforce uses software that was not distributed to them by their IT department. 

When setting out to complete the list, try a good cop approach. Interview colleagues at different departments and explain the benefits of bringing every possible application under the roof of a unique, centralized login. 

A percentage of these applications will be small SaaS vendors where the head of the department paid with a corporate credit card without requesting a budget approval for it. This type of products have all the chances of becoming Shadow IT: unaccounted for and unknown to the IT department until there’s a problem. 

However, for the purpose of single sign-on you should only be concerned about the apps that are relevant: 

  • They’re used everyday by some roles 
  • They are essential to completing the employee’s job description 
  • They have individual user accounts 
  • They contain sensitive data about the company that you shouldn’t be disclosed 

Atlassian tools like Jira, Confluence or Bitbucket meet all items on the above checklist.   

In case of doubt, a quick scan of data sensitivity should be enough to convince you. Bitbucket is the repository for the company’s software, Jira Software has all the plans about the product’s future features, Jira Service Management contains hundreds of customer conversations, and finally, Confluence is used to organize and disseminate documentation, strategic business plans, and links to confidential assets. 

Step 2: Check which applications support SSO  

Once you know which web applications you need to connect to your SSO solution, you should perform a quick due diligence:  

  • Does the application support SSO natively?  
  • If yes, what protocols can be used to connect it? SAML, OAuth/OIDC, SSH, or even older ones? 
  • If no, are commercial connectors available that you can rely on to do the job? 

Screen Shot 2020-12-05 at 1.09.30 PM

Atlassian on-premise applications, for example, do not support SSO natively. However, there are plenty of alternatives in the Atlassian Marketplace that allow them to connect to IdPs, mainly via SAML. Resolution’s SAML SSO is the most important example. 

In the case of Data Center, there is also a free SAML SSO app by Atlassian that covers a part of the SSO specifications, including authentication and some other aspects of user management. We will go into more details in the following article of this series. 

For each of the applications in your inventory, you will have to ask yourself: Where are the application’s users? Are they stored internally in the application, or are they drawn from a corporate user directory? 

In the case of Atlassian users, there are three main non-SSO options: 

Option 1. Users are stored in Microsoft’s Active Directory 

Screen Shot 2020-12-05 at 1.09.50 PM

Active Directory (AD) is starting to be a legacy technology from the time of Windows 2000, but it’s still the most common starting point for a lot of companies using Windows Servers.  

When your users are stored in AD, they can be synchronized with Atlassian applications using LDAP – then they will be able to use their AD credentials for the Atlassian login. 

Pros: It’s a well-tested option that is natively supported by Atlassian applications. Besides, many customers are already using the AD FS role to integrate with cloud services like Office 365 or Salesforce via SAML. And if they haven’t yet, they can do it for free. 

Cons: LDAP is a very poor choice in remote-first approaches: it usually requires firewalls and VPNs, it scales poorly in terms of performance, and it’s not supported by many cloud Identity Providers.  

Option 2. Users are stored in Jira’s internal directory 

Screen Shot 2020-12-05 at 1.10.18 PM

Jira’s internal directory can also be connected to other Atlassian products like Confluence to be used as the source of users. 

Pros: Users don’t have to be managed in other Atlassian applications. They can be centrally run from Jira’s internal directory. 

Cons: The most important disadvantage is that Atlassian applications will still be siloed against the rest of your tools. Every time you adjust access and permissions for an employee, you will at least have to do it twice: once for Atlassian apps, another for your other directories. 
Additionally, when Jira is down, your entire Atlassian stack will be unavailable. 

Option 3. Users are stored in multiple directories, but centralized with Crowd 

Screen Shot 2020-12-05 at 1.10.40 PM

Many enterprises have multiple on-premises historic instances, each of them with their quirks and their settings. Often times some are Data Center, other are Server. Rather than merging everything, standardizing and consolidating in a mega instance, it’s simpler to just accept the complexity and add Crowd into the mix to centralize user management. 

Pros: Federating multiple Atlassian instances with Crowd is fairly simple, and you can manage users and their permissions across different directories. 

Cons: Crowd is sold as an SSO solution, but that is only true for Atlassian products. If a user logged to Crowd tries to access any non-Atlassian tool where he doesn’t have an open session, he will be prompted to login. Also, Crowd cannot handle SAML responses from an IdP. 

Step 4. Analyze IdP opportunities 

You will need an Identity Provider that can serve as the single source of truth for user identities in all your applications. 

A new IdP can be a significant financial commitment. However, sometimes you can get a top IdP vendor for free because you are already using their technology for other purposes. Let’s have a quick look at the most common scenarios. 

Have a look at resolution’s independent evaluation of the most important IdPs for more details. 

Scenario 1: Microsoft Active Directory 

Screen Shot 2020-12-05 at 1.11.24 PM

Second time we encounter AD in this article, and it’s no coincidence.  

If your administrators are already using Active Directory to manage employee access and permissions to your networks' resources, then you can have SAML-based SSO for free. Simply make use of the AD Federation Services role and start using AD FS as your Identity Provider. 

Scenario 2: Office 365 

Screen Shot 2020-12-05 at 1.11.47 PM

A similar scenario to the above, but with cloud pieces of Microsoft’s game. If your company is on Office 365, then you can get Azure Active Directory for no additional cost.  

If you do so, keep in mind that the free version of AD FS has some important limitations. You can see all the details here, but our summary might be a better use of your time: 

  • You can only use applications in the Azure app catalog (don’t worry too much, we are in the catalog) 
  • Some advanced features like user assignments will only be available on a per user basis 
  • Conditional access policies, including MFA, will not be available at all. 

Scenario 3: GSuite 

  Screen Shot 2020-12-05 at 1.12.11 PM

Everyone has a Gmail account, and thousands of companies, particularly in the US, have adopted Google Workspace (formerly G Suite) for their office applications. If that is your case, then choosing Google’s Cloud Identity is a natural option. 

Cloud Identity Premium is included in the premium tier of Google Workspace with a cost of $25 per user, per month. 

Next Steps 

In this article we have seen how to build a comprehensive inventory of your identity assets that includes sensitive B2B applications, the user directories for your Atlassian users, and common opportunities for adding an IdP vendor from your existing stack. 

For the next article of the series, we will go over the most vital questions that will help you define the scope of your SSO implementation. 

Will a simple setup be enough? Will you connect users coming from different directories? Will you automate user creation and deactivation? These are some of the considerations that will impact your project and what a successful solution will look like.

In the fourth and last article, we’ll inspire SSO project leaders with walkthroughs and actionable examples of advanced implementations.

Stay tuned to for more tips and insights on advancing your journey towards a successful single sign-on for your Atlassian tools!

Topics: blog optimization security resolution identity-management

Praecipio Consulting is an Atlassian Platinum Partner

This means that we have the most experience working with Atlassian tools and have insight into new products, features, and beta testing. Through our profound knowledge of Atlassian environments and their intricacies, we can guide your organization as you navigate these important changes.

atlassian-platinum-solution-partner-enterprise

In need of professional assistance?

WE'VE GOT YOUR BACK

Contact Us