Configure Bamboo SAML SSO with Microsoft Entra ID (formerly Azure AD)

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

This guide is designed to walk you through the step-by-step process of setting up SAML SSO for Bamboo using Microsoft Entra ID (formerly Azure AD) as your identity provider.

Environment

The solution has been tested on Bamboo 9.2 connected to Microsoft Entra ID (formerly Azure AD) identity provider.

Solution

Configuration steps

Microsoft Entra ID configuration side

  1. From the Microsoft Entra ID portal, select Enterprise Applications:

  2. Click on “+ New application”

  3. Select “Create your own application”

  4. Enter the name of your application, select “Integrate any other application you don't find in the gallery,” and click Create.

  5. Once the app is created, Click on “Setup single sign on”

  6. Choose SAML

  7. Go to the Basic SAML configuration and click Edit.

  8. In the Basic SAML Configuration Page, You need to fill in the Entity ID and the Reply URL.

    1. You can get this information from Bamboo when you enable the SAML SSO Authentication

  9. Once you have added the information, click on save, and then go to the SAML Certificates section and download the base64 certificate.

Bamboo Configuration side

Microsoft Entra ID (formerly Azure AD) typically sets the Unique User Identifier (Name ID) to return the UserPrincipalName in the form of an email address by default. However, Atlassian Data Center applications, such as Bamboo, require a username instead of an email address. To accommodate this, you may need to adjust the Unique User Identifier (Name ID) to use user.onpremisessamaccountname or user.mailnickname. This change ensures that Microsoft Entra ID returns only the email prefix as the ${NameID} property, which Bamboo can then utilize appropriately.

Once you enabled the SAML SSO and started editing the configuration you need to fill out this information

  1. In the Single sign-on issuer section, you need to copy this URL from Azure in the Microsoft Entra Identifier section.

  2. In the Identity provider single sign-on URL, you must copy this URL from Azure in the Login URL section.

  3. In the user mapping section add ${NameID}

  4. In the x.509 certificate you need to open the downloaded base64 certificate and copy its content and add it.

  5. Then click save and test the authentication.

Ensure that the user exists in Bamboo

  • Even after setting up SAML SSO you still need to make sure that users that need to be authenticated exists in Bamboo Instance(LDAP or local).

  • Alternatively, enable Just-In-Time (JIT) provisioning if that fits your use case. You can find more information on JIT provisioning.

Updated on March 21, 2025
Platform
Data Center only
Product
Bamboo Data Center
On this pageSummarySolution

Still need help?

The Atlassian Community is here for you.
Ask the Community