Configure SAML SSO for Jira Data Center with Google IDP

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Jira Data Center supports any SAML 2.0 compliant IDP, including Google. This is documented in the following articles:

However these serve as more reference pieces rather than how to guides. This article explains step by step how to integrate Jira and Google IDP together using SAML 2.0.

Solution

This article was originally designed for Bitbucket, so some screenshots contain the word "Bitbucket". This can be substituted for "Jira" where found

  1. As an administrator account in Google Workspace, Login to admin.google.com and navigate to Apps >> Web and Mobile Apps.

  2. Add App and click on Add custom SAML App.

  3. Specify App details providing App name and Logo.

  4. Fetch the SSO Urls details either by downloading metadata or copying the details.

  5. Login to Jira Data Center as a System Administrator. Navigate to Administration > Authentication Methods and Click on Add Configuration.

  6. Specify the Name for the configuration and Authentication Method to SAML single sign-on.

  7. Configure SAML SSO settings in Jira as per the details from Google IDP. SSO Url from Google to be specified against Identity provider single sign-on URL in Jira. Entity ID from Google is to be mapped to Single sign-on issuer in Jira. Specify X.509 certificate from Google in Jira.

  8. Username Mapping - This parameter tells Jira how to identify the username in the SAML Assertion response. By default, many IDP providers use NameID to determine the username of the user who is logging in. Some IDP providers use Attribute value as documented in HOWTO: Using a SAML assertion attribute as the product username. Google IDP specifies a username in the Name ID field. So, we set the Username Mapping setting to ${NameID}. Sample Name ID from SAML Assertion response from Google

    1 2 <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"><username@domainname.com></saml2:NameID>

  9. Specify Assertion Consumer Urls from Jira in Google IDP SAML configuration

    From Jira

    URLs to give to Identity provider.

    To Google SAML Configuration

    URLs placed in Google SAML Configuration.

  10. (Optional) Check the Signed Response box if your service provider requires the entire SAML authentication response to be signed. If this is unchecked (the default), only the assertion within the response is signed.

  11. Specify Name ID format in Google SAML Configuration. Select appropriate Name ID format as per your requirement. The default Name ID is the primary email

  12. (Optional) On the Attribute mapping page, click Add another mapping to map additional attributes. Specify Attribute Mapping to map from Google directory to Service provider attributes.

  13. Click Finish in Google SAML Configuration.

  14. In the Jira SAML configuration, specify the remaining parameters and save the configuration.

  15. To have the SAML application available for users, turn the service on.

  16. Test SAML-Sign on either Google or Jira to verify SAML integration.

    1. From Jira: By Navigating to Authentication Methods .

    2. From Google: Click on TEST SAML LOGIN.

Updated on March 14, 2025
Platform
Data Center only
Product
Jira Software Data Center
On this pageSummarySolution

Still need help?

The Atlassian Community is here for you.
Ask the Community