• Documentation

Configure SAML single sign-on for portal-only customers

Connect an identity provider and configure single sign-on for your customers.

Who can do this?
Role: Organization admin
Plan: Atlassian Guard Standard

Don’t use this feature if you intend to provision and sync accounts for portal-only customers or users because this feature is designed to authenticate portal-only customers for Jira Service Management only.

You can provision and sync managed users and external users to your organization. Learn more about user provisioning

About SAML single sign-on for portal-only customers

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, such as an identity provider and a service provider.

SAML for single sign-on (SSO) allows your customers to authenticate through your organization's identity provider when they log in to your Jira Service Management help center. Customers only need to log in one time to access multiple portals for one help center during an active session.

Customers outside your organization can only access your Jira Service Management help center. We don’t count these customers toward your subscription. Learn more about Jira Service Management customer accounts

You can set up single sign-on for internal customers (e.g. employee customers) with Atlassian accounts. Learn more about configuring SAML SSO with an identity provider for users in your organization

SAML single sign-on with authentication setting

After you configure SAML single sign-on with your identity provider, you need to enable single sign-on through Jira settings for Jira Service Management. Learn more about authenticating your portal-only customers

Before you begin

Here's what you must do before you set up SAML single sign-on.

  • Subscribe to Atlassian Guard Standard from your organization. Understand Atlassian Guard

  • Make sure you're an admin for an Atlassian organization. 

  • Add an identity provider to Jira Service Management. How to add an identity provider for portal-only customers

  • Check that your Atlassian product and your identity provider use the HTTPS protocol to communicate and that the configured product base URL is the HTTPS one.

Here’s what we recommend you do before you set up SAML single sign-on.

  • Make sure the clock on your identity provider server is synchronized with NTP. SAML authentication requests are only valid for a limited time.

  • Go to the Authentication page under your Jira settings to test the single sign-on experience before enabling SSO for all your portal-only customers. Learn more about testing single sign-on for customer login

Supported identity providers

Your SAML SSO setup depends on the identity provider. The Atlassian support team can help you with the setup instructions for supported identity providers.

You’re unable to use your identity provider’s pre-configured Atlassian Cloud applications or apps to configure SAML for portal-only customers. Apps are designed to work with SAML for Atlassian accounts.

The exact steps and terminology may vary depending on your specific identity provider, please refer to the provider’s documentation or support resources for detailed guidance if needed.

To integrate a generic application with your chosen identity provider:

  1. Log in to your chosen identity provider account.

  2. Look for the option to create your own application.

  3. Once inside the application creation area, search for the option to integrate any other application not listed in the app gallery or library.

  4. Select this option to proceed with the configuration process.

Which user management experience do you have?

To check, go to your organization at admin.atlassian.com and select Directory. If the Users and Groups lists are found here, then you are using the centralized user management. Learn more about the centralized user management

Original

Centralized

As a site administrator or organization admin, Users is found under Product site.

Original user management png

As an organization admin, Users is found under Directory tab.

Centralized user management png

 

Jump to the


Centralized user management content

Copy details from your identity provider to your Atlassian organization

  1. From your organization at admin.atlassian.com, select Products.

  2. Under Sites and products, select the site you want to configure the SAML SSO for.

  3. Under Jira Service Management, select Portal-only customers.

  4. Select (more option) > Identity providers.

  5. Select Set up SAML single sign-on.

  6. Add SAML details.

  7. Select Save.

SAML details

Description

Identity provider Entity ID

This value is the URL for the identity provider where your product will accept authentication requests.

Identity provider SSO URL

This value defines the URL your users will be redirected to when logging in.

Public x509 Certificate

This value begins with '-----BEGIN CERTIFICATE-----'.

This certificate contains the public key we'll use to verify that your identity provider has issued all received SAML authentication requests.

Copy these URLs from your Atlassian organization to your identity provider

  • Service provider entity URL

  • Service provider assertion consumer service URL

The exact steps and terminology may vary depending on your specific identity provider, please refer to their documentation or support resources for detailed guidance if needed.

To integrate a generic application with your chosen identity provider:

  1. Log in to your chosen identity provider account.

  2. Look for the option to create your own application.

  3. Once inside the application creation area, search for the option to integrate any other application not listed in the app gallery or library.

  4. Select this option to proceed with the configuration process.

  5. Select Save in your identity provider.

Available SAML attributes

When you set up your identity provider, these are your SAML attributes:

Instructions

SAML Attribute

Map to your identity provider

Required

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

User's first name

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

User's last name

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name,  OR

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

Internal Id for the user that will not change.

Note that this Id should NOT be the user's email address.

Required

NameID

User’s email

RelayState for identity provider (IDP) initiated SSO

If you need to configure an identity provider-initiated login flow, use the following relaystate URL:

<baseurl>/servicedesk/customer/portals

Configure single sign-on to authenticate your customers

We recommend that you test and then enable single sign-on for your Jira Service Managementhelp center. When you enable single sign-on your customers can access your help center using their identity credentials with the identity provider. Learn more about authenticating your portal-only customers

Delete SAML configuration for an identity provider

Once you delete the SAML configuration, your customers won’t be able to authenticate from the identity provider. Instead, they will need to use their portal-only accounts (email and password) on your site to access your help center. If a customer doesn’t have a portal-only account password, we’ll ask them to set it up at the time they attempt to log in to your help center.

Before you delete the SAML single sign-on configured for your identity provider, make sure you have disabled single sign-on and enabled password authentication. Learn how to disable single sign-on and enable password

To delete SAML single sign-on configuration for an identity provider:

  1. From your organization at admin.atlassian.com, select Products.

  2. Under Sites and products, select the site you want to delete the SAML configuration for.

  3. Under Jira Service Management, select Portal-only customers.

  4. Select (more option) > Identity providers.

  5. Select the directory you want to delete the SAML configuration.

  6. Select View SAML configuration > Delete configuration.

When you delete the SAML configuration, you still have a subscription to Atlassian Guard Standard. If you want to unsubscribe, go to Unsubscribe from Atlassian Guard Standard.


Original user management content

Copy details from your identity provider to your Atlassian organization

  1. Go to your site's Admin at admin.atlassian.com. If you're an admin for multiple sites or an organization admin, click the site's name and URL to open the Admin for that site.

  2. Select Jira Service Management.

  3. Select (more option) > Identity providers.

  4. Select Set up SAML single sign-on.

  5. Add SAML details.

  6. Select Save.

SAML details

Description

Identity provider Entity ID

This value is the URL for the identity provider where your product will accept authentication requests.

Identity provider SSO URL

This value defines the URL your users will be redirected to when logging in.

Public x509 Certificate

This value begins with '-----BEGIN CERTIFICATE-----'.

This certificate contains the public key we'll use to verify that your identity provider has issued all received SAML authentication requests.

Copy these URLs from your Atlassian organization to your identity provider

  • Service provider entity URL

  • Service provider assertion consumer service URL

The exact steps and terminology may vary depending on your specific identity provider, please refer to their documentation or support resources for detailed guidance if needed.

To integrate a generic application with your chosen identity provider:

  1. Log in to your chosen identity provider account.

  2. Look for the option to create your own application.

  3. Once inside the application creation area, search for the option to integrate any other application not listed in the app gallery or library.

  4. Select this option to proceed with the configuration process.

  5. Select Save in your identity provider.

Available SAML attributes

When you set up your identity provider, these are your SAML attributes:

Instructions

SAML Attribute

Map to your identity provider

Required

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

User's first name

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

User's last name

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name,  OR

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

Internal Id for the user that will not change.

Note that this Id should NOT be the user's email address.

Required

NameID

User’s email

RelayState for identity provider (IDP) initiated SSO

If you need to configure an identity provider-initiated login flow, use the following relaystate URL:

<baseurl>/servicedesk/customer/portals

Configure single sign-on to authenticate your customers

We recommend that you test and then enable single sign-on for your Jira Service Managementhelp center. When you enable single sign-on your customers can access your help center using their identity credentials with the identity provider. Learn more about authenticating your portal-only customers

Just-in-time provisioning with SAML

Just-in-time provisioning is supported during both service provider-initiated and identity provider-initiated flows.

You need to be a Jira admin to enable single sign-on for your Jira Service Management site:

  1. Go to the Jira settings > Products > Authentication. Learn more about configuring settings to authenticate your portal-only customers

  2. Make sure that you have the option Enable single sign-on selected and saved.

Once these settings have been confirmed, a new customer will go to your help center URL https://INSTANCE.atlassian.net/servicedesk/customer/portals to just-in-time provision a portal-only account.

The service provider-initiated login experience in the help center will be:

  1. The customer navigates to https://INSTANCE.atlassian.net/servicedesk/customer/portals 

  2. The customer enters their Email address and selects Continue.

  3. The customer selects Continue with single sign-on and is redirected to their identity provider.

If the customer successfully authenticates against the identity provider (or has a cached session), we automatically create a portal-only customer account for them, and they're redirected back to the help center website that initiated the login.

Delete SAML configuration for an identity provider

Once you delete the SAML configuration, your customers won’t be able to authenticate from the identity provider. Instead, they will need to use their portal-only accounts (email and password) on your site to access your help center. If a customer doesn’t have a portal-only account password, we’ll ask them to set it up at the time they attempt to log in to your help center.

Before you delete the SAML single sign-on configured for your identity provider, make sure you have disabled single sign-on and enabled password authentication. Learn how to disable single sign-on and enable password

To delete SAML single sign-on configuration for an identity provider:

  1. Go to your site's Admin at admin.atlassian.com. If you're an admin for multiple sites or an organization admin, click the site's name and URL to open the Admin for that site.

  2. Select Jira Service Management.

  3. Select (more option) > Identity providers.

  4. Select the directory you want to delete the SAML configuration.

  5. Select View SAML configuration > Delete configuration.

When you delete the SAML configuration, you still have a subscription to Atlassian Guard Standard. If you want to unsubscribe, go to Unsubscribe from Atlassian Guard Standard.

Still need help?

The Atlassian Community is here for you.