Can SAML and Kerberos work in combination?
Yes! When both SAML and Kerberos is configured, Active Directory joined devices can benefit from password-less SSO with Kerberos, while mobile phones and other standalone devices are offered SAML SSO.
Which Identity Providers do you support?
We have made step-by-step instructions for the most common IDPs. If you IDP is not listed, then choose "Any SAML 2.0 provider" in the setup wizard.
If you want to add a vote for your IDP to be added to the setup wizard, don't hesitate to reach out to us.
Do we need to make any file system changes to offer SAML to mobile devices or JIRA Service Desk?
No, there is no need to make file system changes. Installing Kantega Single Sign-on will give you SSO to both JIRA and JIRA Service Desk.
What is known domains?
Known domains is both a security feature, and enables the plugin to redirect the user to the correct IDP.
Lets say you have a user firstname.lastname@example.org. If example.com is a known domain to one IDP, we can redirect the user to that IDP.
If example.com is a known domain for two or more IDP, the user must choose. Remember to select a good name for your IDP.
If known domains is set to "Trust identity provider to login users from any domain", potentially, the IDP can authenticate users from another domain.
Can we add multiple Identity Providers?
Yes, add as many as you like!
Is logging in with mobile devices supported?
Yes, JIRA Mobile and Confluence Mobile clients are offered SAML login.
Do you support SAML for JIRA Service Desk?
Yes, both JIRA Service Desk agents and customers are offered SAML login.
How are SAML users mapped to accounts in User Directories?
The chosen SAML user name attribute is matched against existing user directories in the order they appear in the User Directory list.
What user directories are supported?
Actually, all user directories are supported. Your users may reside in Internal User Directory, Active Directory, Crowd, atlassian-user.xml etc.
Can SAML login be bypassed?
Yes, adding ?nosaml to the login URL will present the standard username/password screen. This is relevant if you want to log into a local administrator account when automatic redirect to SAML identity provider is enabled.
Does application links work with our add-on?
Our add-on does not affect how application links work. This is because users do not have to authenticate to each application. We recommend using OAuth Impersonation application links when setting this up.
I am asked for a password to enter the admin section and not able to proceed since my identity has been established through SAML?
This is by design and default activated on Jira and Confluence. If you would like SAML users to be able to enter the admin section without entering their passwords, Atlassian has a way of disabling secure administrator sessions (WebSudo)