Page tree
Skip to end of metadata
Go to start of metadata


This guide provides step-by-step instructions on how to add Duo Access Gateway as an identity provider in JIRA using Kantega Single Sign-on
The guide can also be used when setting up SAML with Confluence, Bitbucket, Bamboo and FeCru

Prior to this guide we have set up:

Adding an identity provider

In Kantega Single Sign-on add an identity Provider of the type "Any SAML 2.0 Identity Provider".


  • Copy the ACS URL and save it for later (the ACS URL and Entity ID is identical)
  • Go to the next step (Protect an Application in Duo)

Protect an Application in Duo

Log into Duo and select Applications, then Protect an Application

SAML - Service Provider

  • Search for SAML - Service Provider
  • Select Protect this application

Configure SAML Service Provider

  • Give the Service Provider a name
  • Paste the ACS URL from the Prepare step into the following fields:
    • Entity ID
    • Assertion Consumer Service
    • Service Provider Login URL (if you want IDP initiated login)
  • Press Save Configuration


  • Scroll down to Settings and choose a proper name to be displayed to Duo Push users
  • Save the changes

Download your configuration file

The json file is used when setting up in Duo Access Gateway

  • Download the json configuration file

Configure the application in Duo Admin Console

Metadata export (optional)

If your JIRA server has direct access to the metadata from Duo Access Gateway you can skip to the next step (preferred)

If the JIRA server does not have access to the metadata URL, download the file

Metadata import


  • Give the IDP a proper name
  • The SSO redirect URL is imported from the metadata
  • Press Next


  • Review the imported signing certificate (This step is purely informatinal)
  • Press Next


  • Select whether users already exist or if you wish to have users automatically created upon login.
    • To automatically create users, Duo needs to send a Name and the email in addition to the user name attribute (Not covered in this guide)


  • Review the Summary
  • Press Finish

Identity Provider Login Test

It´s now time to perform a test login. 

  • Copy the usertest URL
  • Open the URL in an in incognito window

Testing in an incognito window

  • The IDP test page is anonymously viewable. This is useful if the Duo user does not have JIRA admin accees
  • Press Run test

Perform a test login.

If the user has two factor enabled perform a duo push or enter a passcode received on sms

After performing a test login, you may close the incognito window

SSO test results

  • Go back to Test Results 
  • Select Results

Add as a known domain for this IDP

A user with the username was found in JIRA Internal Directory

Redirect mode

After setting up SSO, choose a redirect mode that best fit your use case

Users should now be able to log into JIRA using DUO

  • No labels