Atlassian applications perform authorization by looking at the user's group memberships. Group Memberships are usually delegated to external User Directories such as Microsoft Active Directory.
However, this might not work for all use cases:
- User accounts might live in a directory which is not supported by Atlassian's Embedded Crowd
- The application might be hosted in an environment which lacks network access to the directory
In these cases, its useful to allow Kantega SSO to manage group memberships based on Group Claims included in the SAML response. We call this feature "Managed groups".
When a group is configured as managed, the following will happen when a user is logged in:
- Does the SAML response include a group claim for the managed group? If so, make sure the user is added as a member.
- No group claim found for the managed group? Make sure the user is removed from the group.
Only groups which are explicitly configured as managed by Kantega SSO will be affected by this feature. All other groups will be be ignored.
Configuring your identity provider
AD FS needs to be configured to send group claims.
From the AD FS Management, right click on the relaying party trust (e.g. email@example.com) and select Edit Claim Issuance Policy or Edit claim rules (AD FS 3.0 and 2.0)
Select Add Rule, then Send Group Membership as a Claim.
Choose a rule name
Select a group that users are members of
Outgoing claim type: Group
The group value sent by AD FS (this value must match a group found in JIRA)
Add a rule for each group to be sent as a SAML group claim.
Once AD FS has been configured to send group claims. A test should be run.
Other identity providers
Please contact our support team, we'll be happy to help you set up your identity provider with group claims
Once your identity provider is configured it's useful to run a SAML authentication test to verify that the identity provider actually sends the expected group claims.Verify that your identity provider sends group claim
This test result shows that Mark Miller is a member of the jira-software-users group:
There are two different ways of setting up groups your users are added to during SAML login.
Setting up Managed groups, see screenshot below) will only add a group to a user during login if this user has the same group in his SAML response. So for the user above, which only has jira-software-users as a SAML claim, will only get the role jira-software-users (and not jira-administrators).
Setting up groups in Default groups will give the selected groups to all users logging in via SAML. So in the example below, all users will be given the group Users during login. The group Users is only an example.
In the test results page, the following change to managed group during login may appear:
Also "No change" and "Will be removed" are valid messages for changes for Managed groups.