Page tree
Skip to end of metadata
Go to start of metadata

Introduction

This guide provides step-by-step instructions on how to add Ping Federate as an identity provider in JIRA using Kantega Single Sign-on.

The guide can also be used when setting up SAML with Confluence, Bitbucket, Bamboo and FeCru.


Adding an SP Connection in Ping Federate

  • Press Create New

Connection Type

  • Select Connection Template: Browser SSO Profiles 

Connection Options

  • Select Browser SSO
  • Press Next

Configuring Kantega Single Sign-on

Add identity provider

  • In Kantega Single Sign-on select Any SAML 2.0 Identity Provider

Prepare

  • Copy the metadata URL or download the file

Import Metdata

  • Select the desired metadata import option
  • Press Next

Metadata Summary

  • Review the metadata summary
  • Press Next

General Info

  • Fill in the fields (if not using metadata)
    • Entity ID
    • Connection Name 
    • Base URL
  • Press Next

Browser SSO

  • Select Configure Browser SSO
  • Press Next

SAML Profiles

  • Select wheter you want IDP-initated SSO, SP-Initiated SSO or both
  • Press Next

Assertion Lifetime

  • Accept the default assertion lifetime
  • Press Next

Assertion Creation

  • Select Configure Assertion Creation

Identity Mapping

  • Select Standard Identity Mapping
  • Press Next

Attribute Contract

This step may be skipped if the user should noe be automatically created in JIRA

  • Extend the contract with the fields from the table below
  • Press Next
Extend the tract:Attribute Name Format
emailurn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
givenNameurn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
surnameurn:oasis:names:tc:SAML:2.0:attrname-format:unspecified


Authentication Source Mapping

  • Select Map New Adapter Intance

Adapter Instance
  • Choose your preferred Adapter Instance
  • In this example we create: PingOne HTML Form Adapter
  • Press Next

Mapping Method
  • Select Use Only The Adapter Contract Values In The SAML Assertion
  • Press Next

Attribute Contract Fullfillment
  • Select the values for SAML_SUBJECT, email, givenName and surname
  • Press Next

Issuance criteria
  • Optionally add Issuance Criteria
  • Press Next

IDP Adapter Mapping Summary
  • Review the Summary
  • Press Done

Assertion Creation

  • You have now completed Map New Adapter Instance
  • Select Map New Authentication Policy

Authentication Policy Contract

  • Choose an already existing Authentication Policy Contract or press Manage Authentication Policy Contracts
  • In this example we create a new policy contract 

Manage Contracts

  • Select Create New Contract

Contract Info
  • Give the contract a name
  • Press Next

Contract Attributes

Extend the contract with the following attributes:

  • email
  • givenName
  • surname
  • userPrincipalName

After adding the attributes, press Next

Authentication Policy Contract Summary
  • Review the Summary
  • Press Done

Authentication Policy Contracts
  • You have now added a new Authentication Policy Contract
  • Press Save

Selecting an Authentication Policy Contract
  • Select the desired Authentication Policy Contract
  • Press Next

Mappping Method

  • Select Use Only The Authentication Policy Contract Values In The SAML Assertion
  • Press Next

Attribute Contract Fullfillment

  • Map the Attribute Contract Attribute to the corresponding Value
  • Press Next

Issuance Criteria

  • Optionally add Issuance Criteria
  • Press Next

Authentication Policy Mapping Summary

  • Review the Summary
  • Press Done

Authentication Source Mapping 

  • You have now completed 
    • Map New Adapter Instance
    • Map New Authentication Policy
  • Press Next

Assertion Creation Summary

  • Review the Summary
  • Press Done

Assertion Creation

  • You have now completed the Assertion Creation
  • Press Next

Protocol Settings

  • Press Cnfigure Protocol Settings

Assertion Consumer Service URL

  • The Endpoint URL should be automatically filled from the metadata 
  • When not using metadata, add the ACS URL from the Prepare step in Kantega Single Sign-on
  • Note that in this example we use the relative url to the Base url configured in: General Info
  • Press Next

Allowable SAML Bindings

  • Set Redirect as  the Allowable SAML Binding
  • Press Next

Signature Policy

  • You can choose to have the assertion singed or not 
  • Press Next

Encryption Policy

  • Select wether you want the assertion encrypted as well 
  • Encrypted assertions is not covered by this guide
  • Press Next

Protocol Settings Summary

  • Review the Summary
  • Press Done

Protocol Settings

  • You have now completed the Protocol Settings
  • Press Next, then Done

Browser SSO

  • You have now completed the Browser Configuration
  • Press Next

Credentials

  • Select Configure Credentials

Digital Signature Settings

  • Select an already existing certificate or create a new one
  • If you are creating a new certificate, Press Manage Certificates

Manage Digital Sining Certificates

  • Press Create New

Create Certificate
  • Fill the required fields 
  • Choose how long the certificate should be valid
  • Press Done

Create Certificate Summary
  • Review the Summary
  • Press Done

Manage Digital Signing Certificates

  • Make sure the desired certificate is active
  • Press Save

Digital Signature Settings

  • Select Include The Certificate In The Signature <Keyinfo> Element
  • Press Done

Credentials

  • You have now completed Credentials
  • Press Next

Activation and Summary

  • Select Connection Status: Active
  • Press Save

Metadata Export

  • Navigate for Server Configuration
  • Metadata Export

Metadata Mode

  • Select Use A connection For Metadata Generation
  • Press Next

Connection Metadata

  • Select the connection
  • Press Next

Metadata Signing

  • Select the signing certificate
  • Check Include This Certificate's Public Key In The Certificate <Keyinfo> Element
  • Press Next

Export & Summary

  • Export the metadata (Press Export)
  • Press Done

Configuring Kantega Single Sign-on

Prepare

  • In Kantega Single Sign-on, Press Next

Metadata import

  • Select the exported metadta from Ping Federate
  • Press Next

Location

  • Give the IDP a proper name
  • The SSO redirect URL is imported from the metadata


Signature

  • Review the imported signing certificate (This step is purely informatinal)
  • Press Next

Users

  • Select whether users already exist or if you wish to have users automatically created upon login
  • Optionally assign a default group for new users

Summary

  • Review the Summary
  • Press Finish

Identity Provider Login Test

It`s now time to perform a test login. Open the URL in an in incognito window

Testing in an incognito window

  • The IDP test page is anonymously viewable
  • Press Run test


  • Perform a test login


  • Test login has been recorded
  • You may close the window


  • Press See test results


  • Select Results


  • Add the domain as a known domain for this IDP


  • Choose the SAML username attribute (Name ID is default)


  • Now is a good time to choose the preferred Redirect mode


Users should now be able to log into JIRA using Ping Federate.











  • No labels