Articles in this section

Configuring SAML for JIRA (On-Premise)

Note: This plugin fully supports JIRA 6.0, 6.1, 6.2, 6.3. We have open-sourced the plugin, which you can get at https://github.com/onelogin/atlassian so that customers can modify it to support later versions.

This article explains how to set up single sign-on (SSO) for Atlassian JIRA using OneLogin's SAML plugin for JIRA. 

You perform this setup in two steps:

1. Set up OneLogin

2. Install and configure the OneLogin JIRA plugin

Setting up OneLogin

  1. Go to Apps > Find Apps. Search for and select the JIRA connector that supports SAML 2.0.
  2. On the Add JIRA page, select a Connector Version of SAML 2.0 and click Save to add the app and display the additional configuration tabs.

  3. On the Configuration tab, enter the JIRA login URL.

    Enter the login URL of the JIRA server, using the format https://hostname:port without a trailing slash "/". For example, https://jiraserver:8080.

  4. On the Parameters tab, select how credentials are configured and map the JIRA Username field to a OneLogin attribute.

    Typically, the JIRA Username should be set to Email name part.

  5. On the SSO tab, copy the SAML 2.0 Endpoint (HTTP) URL and click View Details under the X.509 Certificate field to copy the certificate.

    You will add these to your jira_onelogin.xml file in a later step.

  6. On the Access tab, assign the JIRA app to OneLogin roles.
  7. Click Save.

Installing and configuring the JIRA plugin

  1. Download the following files to the machine that hosts your JIRA service:

    customauth-jira-6.1.2.jar Download

    jira_onelogin.xml Download

    Ensure that your JIRA_USER has read permission on these files. To perform this configuration, you must be logged in as a user with write permission on these files and the files in your JIRA_INSTALL directory.

  2. Edit jira_onelogin.xml to add the X.509 certificate and SAML 2.0 Endpoint that you copied above.

    Paste the certificate between the <certificate></certificate> tags, removing all line feeds or carriage returns in the certificate value.

    Paste the SAML 2.0 Endpoint between the <ssotarget></ssotarget> tags.

    <config><certificate>MIICMTCCAiWgAwIBAgIBATADBgEAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQHDAMA8GA1UECgwIT25lTG9naW4xGTAXBgNVBAMMEGFwcC5vbmVsb2dpbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKvNTqqXMUv2kbVIaAeov5qOaVrbDQwj/65aaCs8CuXwC1Ks69Z3/D5qGHLDqVCR7+BhbVEiZRK/tb/LcW1qsFySXlgbGY5zqvHXjQ2ChYDofpTV8iMr7klHBXweP+pxvrknsmMUxlmaH7gcvRBN9UkdXds0pXTYBho0TnCDljEvktwKg7e02FyUgwM1xSJSYTm3IDVNSyfWiZ4H51vOUz80ulIUoHtu5WHPdvzP3vdokRbW5akN/rE2T6ws0CuTdd+LKyxdIuuJP3MseMG8HIf9C/4wWXkxWB9amCzujsmBJuaEduKX0OP7T8XyOZoQ7A0BjMl8eqxx/rOmr6O0ztAgMBAAEwAwYBAAMBAA==</certificate>
<assertion>http://server1:8080/login.jsp</assertion>
<issuer>http://server1:8080/secure/Dashboard.jspa</issuer>
<ssotarget>https://app.onelogin.com/saml/signon/49097</ssotarget>
</config>

  3. Copy jira_onelogin.xml into JIRA_INSTALL and JIRA_INSTALL/bin.

    The default location of the JIRA_INSTALL directory depends on the installation platform:

    Linux: /opt/atlassian/jira

    Windows: c:\Program Files\Atlassian\JIRA

    Your installation directory may be different.

  4. Copy customauth-jira-6.1.2.jar into JIRA_INSTALL/atlassian-jira/WEB-INF/lib.

  5. Edit JIRA_INSTALL/atlassian-jira/WEB-INF/classes/seraph-config.xml.

    1. Modify the link.login.url parameter.

      Find <param-name>link.login.url</param-name> and make sure the corresponding <param-value> value is:

      <param-value>/login.jsp?os_destination=${originalurl}</param-value>

    2. Comment out (<!-- -->) the following line:

      <authenticator class="com.atlassian.jira.security.login.JiraSeraphAuthenticator"/>

    3. Add the following line before the <service> tag:

      <authenticator class="com.onelogin.jira.saml.SSOAuthenticator"/>

  6. Edit JIRA_INSTALL/atlassian-jira/includes/loginform.jsp.

    1. Find the following line:

      <%@ page import="com.atlassian.jira.web.filters.JiraLoginInterceptor" %>

    2. Add the following immediately after:

      <%@ page import= "com.onelogin.jira.saml.SSOAuthenticator" %>

    3. Find the following line:

      request.setAttribute("loggedInUser", jiraAuthenticationContext.getLoggedInUser() == null ? null : jiraAuthenticationContext.getLoggedInUser().getDisplayName());

    4. Add the following immediately after:

      if(request.getParameter("SAMLResponse") == null)
  {
      String redirectURL = 
      request.getSession().getAttribute("reqString").toString();
      response.sendRedirect(redirectURL);
   }else{
 
      if(jiraAuthenticationContext.getLoggedInUser() != null)
      {
 
          if(request.getSession().getAttribute("os_destination") != null)
          {
              String os_destination = 
                  request.getSession().getAttribute("os_destination").toString();
                  response.sendRedirect(os_destination);
          }else{
              response.sendRedirect("/");
          }
       }
   }

  7. Edit JIRA_INSTALL/atlassian-jira/secure/views/dashboard.jsp.

    Find the line wrm.requireResourcesForContext("jira.dashboard"); and add the following immediately after (and before the line with %>):

    
if(request.getSession().getAttribute("os_destination") != null){
  String os_destination =  request.getSession().getAttribute("os_destination").toString();
    request.getSession().setAttribute("os_destination",null);
     response.sendRedirect(os_destination);
  }
  8. Restart the Atlassian JIRA service.