Page tree

Upgrading to Jira 8? - Important notice: https://docs.kantega.no/pages/viewpage.action?pageId=57278555





Skip to end of metadata
Go to start of metadata

Background

Atlassian applications perform authorization by looking at the user's group memberships. Group Memberships are usually delegated to external User Directories such as Microsoft Active Directory.

However, this might not work for all use cases:

  • User accounts might live in a directory which is not supported by Atlassian's Embedded Crowd     
  • The application might be hosted in an environment which lacks network access to the directory 

In these cases, its useful to allow Kantega SSO to manage group memberships based on Group Claims included in the SAML response. We call this feature "Managed groups".

Managed groups

When a group is configured as managed, the following will happen when a user is logged in:

  • Does the SAML response include a group claim for the managed group? If so, make sure the user is added as a member.
  • No group claim found for the managed group? Make sure the user is removed from the group.

Only groups which are explicitly configured as managed by Kantega SSO will be affected by this feature. All other groups will be be ignored.

Configuring your identity provider

 Configure AD FS to send group claims

AD FS needs to be configured to send group claims.

From the AD FS Management, right click on the relaying party trust (e.g. 17gu85ydc9ji2@issues.example.com) and select Edit Claim Issuance Policy or Edit claim rules (AD FS 3.0 and 2.0)




Select Add Rule, then Send Group Membership as a Claim.


Choose a rule name

Select a group that users are members of 

Outgoing claim type: Group

The group value sent by AD FS (this value must match a group found in JIRA)

Add a rule for each group to be sent as a SAML group claim.


Once AD FS has been configured to send group claims. A test should be run. 


      Configure Keycloak to send manage groups


       Other identity providers

       Please contact our support team, we'll be happy to help you set up your identity provider with group claims


Once your identity provider is configured it's useful to run a SAML authentication test to verify that the identity provider actually sends the expected group claims.
Verify that your identity provider sends group claim

This test result shows that Mark Miller is a member of the jira-software-users group:

Configuring groups

There are two different ways of setting up groups your users are added to during SAML login.

Setting up Managed groups, see screenshot below) will only add a group to a user during login if this user has the same group in his SAML response. So for the user above, which only has jira-software-users as a SAML claim, will only get the role jira-software-users (and not jira-administrators).

Setting up groups in Default groups will give the selected groups to all users logging in via SAML. So in the example below, all users will be given the group Users during login. The group Users is only an example.


In the test results page, the following change to managed group during login may appear:

Also "No change" and "Will be removed" are valid messages for changes for Managed groups.



  • No labels