Configure OKTA SAML single sign-on for portal-only customers

Platform Notice: Cloud Only - This article only applies to Atlassian apps on the cloud platform.

Summary

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, such as an identity provider and a service provider.

SAML for single sign-on (SSO) allows customers to authenticate through the organisation's Identity Provider (IDP) when logging in to the Jira Service Management Customer Portal. During an active session, customers only need to log in once to access multiple portals for one Jira Service Management instance.

Customers outside the organization can only access the organization's Jira Service Management portal. Atlassian does not count these customers toward the Atlassian Guard subscription billing. Learn more about Jira Service Management customer accounts.

Pre-requisites

To configure SSO for JSM Portal-only customers, you need:

  • Jira Service Management Portal

  • Atlassian Guard Subscription

To configure SSO for JSM Portal-only customers, you need below roles:

  • Organization Admin role for the Atlassian organization

  • User with Administrator role on OKTA

Please follow the steps below to configure the SSO with the OKTA IDP for JSM Portal-only customer users.

Set up SAML application in Okta

  1. Log in to the OKTA Admin Portal

  2. Go to Applications > Select Applications > Select Create App Integration > Select SAML 2.0

  3. On the application creation page, add the application name and select Next

  4. On the Configure SAML page, add the values and set the options as below

    • For all URL fields, add dummy values for now (will be updated later)

    • Name ID Format: EmailAddress

    • Application username: Email

    • Update application username on: Create and Update

  5. On the next screen, select Finish and complete the setup

  6. From the Sign On tab, select View SAML setup instructions to get the SAML values

  7. From the SAML Setup instruction page, copy these values:

    • Identity Provider Single Sign-On URL

    • Identity Provider Issuer

    • X.509 Certificate

Set up SAML on the Atlassian side

Log in to https://admin.atlassian.com. The steps will differ based on your user management experience.

For Centralized user management

For Original user management

1. Navigate to Apps/Products > Sites and products > and select the site

2. Under Jira Service Management, select Portal-only customers

1. Navigate to Apps/Products > Sites and products

2. Under User Management, select Jira Service Management

Next: Select ... (More) > Identity providers

  1. From the IDP selection page, select OKTA

  2. Provide any suitable directory name and select Add > Select Set up SAML single sign-on

  3. On the next screen, paste all 3 values copied from the OKTA in the respective fields, then select Next

    • Identity Provider Single Sign-On URL

    • Identity Provider Issuer

    • X.509 Certificate

  4. From the next screen, copy the Service provider entity URL and the Service provider assertion consumer service URL (to be updated on OKTA)

Update values on OKTA

On OKTA IDP, for the JSM SSO Application, go to the General tab and select Edit within the SAML Settings box.

Go to Configure SAML and update the values as below:

  1. Single sign-on URL: <paste the "Service provider assertion consumer service URL" from the previous step>

  2. Audience URI (SP Entity ID): <paste the "Service provider entity URL" from the previous step>

  3. Default RelayState: Enter your JSM portal URL, for example: https://<your_site>.atlassian.net/servicedesk/customer/portals

  4. Configure the attributes below under Attribute Statements:

    • Application Username (Name ID): Email

    • Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

      • Name format: Unspecified

      • Value: user.firstName

    • Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

      • Name format: Unspecified

      • Value: user.lastName

    • Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

      • Name format: Unspecified

      • Value: user.getInternalProperty("id")

  5. Save and finish the setup.

Assign users/groups to the SSO application on JSM

Add the users or groups to the assignment scope of the JSM Application on OKTA.

Test SAML Single Sign-On

On the Atlassian side, when you complete the setup, you will get an option Test single sign-on.

  1. Select option Test single sign-on  > Save settings

  2. Select View testing steps to see the testing steps, which should match below:

    • Password: Enable login with email and password

    • Identity provider: Test single sign-on

Updated on September 25, 2025
Platform
Cloud only
App
Jira Service Management Cloud
App
Atlassian Guard
On this pageSummarySet up SAML application in OktaSet up SAML on the Atlassian side

Still need help?

The Atlassian Community is here for you.
Ask the Community