Azure Active Directory - SSO guide
Azure AD (Active Directory) - SSO Setup
Create an enterprise application
In order to create an enterprise application, you will need the following:
1 - An Azure AD user account. If you don't have one yet, you can Create an account for free.
2 - One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
3- Completion of the steps in Quickstart: Add an enterprise application.
Once you have created your AD account,
Navigate back to the homepage.
Select “More Services”
On the sidebar, navigate to the “Identity” tab
Select the “Enterprise applications”
Select “New Application
Select ”Create your own application”
Provide a name
Select the “Integrate any other application you don't find in the gallery (Non-gallery)” option
Select the “Create” button
You have now created the application.
Set up single sign-on
Select the “Single sign-on” tab
Select the “SAML” card
The following page will open
Here you set the configuration, there are 4 steps and 1 step to test the scheme.
SSO configuration
Step one includes the basic SAML configuration, select the 3 dots on the right corner of this card and click on the “edit” button.
Identifier (Entity ID)
Open the global settings of External Share on your Jira instance
(Apps dropdown menu > External Share > Global Settings > SSO configuration)
Enable SAML SSO by ticking the box
Copy the “Issuer ID” value
Click on Add identifier (On Azure)
Paste the value into the “Identifier” field
Reply URL (Assertion Consumer Service URL)
Click on Add Reply URL
Open the global settings of External Share on your Jira instance
Copy the “Assertion Consumer URL” value
Click on Add Reply URL (On Azure)
Paste the value into the “Reply URL” field
Sign on URL
Open the global settings of External Share on your Jira instance
Copy the value from the “Service Provider Login Url” field and paste it into the “Sign on URL” field. Note that this value is generated dynamically when Workspace name is changed.
Relay State
Open the global settings of External Share on your Jira instance
Copy the “Default Relay State” value
Paste the value into the “Relay state” field
Save
Step two “Attribute and Claims”
Please ensure that the “Unique User Identifier” is set to “user.mail”, External Share treats user email addresses as their unique identifier
Please keep in mind you only need to provide the following information. No additional attributes are required
SAML Certificates, step three
Download the “PEM Certificate”
Open with notepad
Copy the value
Paste this value into the “Certificate” field on the global settings of External Share on your Jira instance
Please make sure to check the expiry date for the certificate, once the certificate is expired, it needs to be manually rotated.
Set up, step four
Copy the “Login URL” value and paste it into the “Login URL” field on the global settings of External Share on your Jira instance
Copy the “Azure AD Identifier” value and paste it into the “Identifier” field on the global settings of External Share on your Jira instance
Choose a name for your “Workspace identifier” field - Please note that your workplace identifier is the data used to identify your Jira instance and your users will need to use this identifier in order to login via SSO, therefore this information must be actively available to users.
Save
There are no users assigned at this stage.
Assign users
Navigate to “Users and groups” (Sidebar menu)
Select the “Add user/group” button (on the navigation bar)
Click on the “Users” field
Add the users you wish to whitelist
Click on the “Assign” button
Configuring SSO does NOT automatically limit users share access to SSO, you must first Require Corporate SSO login when accessing shares.
If you wish to ensure the identity of external users is checked with your identity provider when accessing shares, you must require this option in the security tab in External Share.