Can SAML and Kerberos work in combination?
Yes! When both SAML and Kerberos is configured, Active Directory joined devices can benefit from password-less SSO with Kerberos, while mobile phones and other standalone devices are offered SAML SSO.
Which Identity Providers do you support?
We have made step-by-step instructions for the most common IDPs. If you IDP is not listed, then choose "Any SAML 2.0 provider" in the setup wizard.
If you want to add a vote for your IDP to be added to the setup wizard, don`t hesitate to reach out to us.
Do we need to make any file system changes to offer SAML to mobile devices or JIRA Service Desk?
No, there is no need to make file system changes. Installing Kantega Single Sign-on will give you SSO to both JIRA and JIRA Service Desk.
What is known domains?
Known domains is both a security feature, and enables the plugin to redirect the user to the correct IDP.
Lets say you have a user email@example.com. If example.com is a known domain to one IDP, we can redirect the user to that IDP.
If example.com is a known domain for two or more IDP, the user must choose. Remember to select a good name for your IDP.
If known domains is set to "Trust identity provider to login users from any domain", potentially, the IDP can authenticate users from another domain.
Can we add multiple Identity Providers?
Yes, add as many as you like!
Is logging in with mobile devices supported?
Yes, JIRA Mobile and Confluence Mobile clients are offered SAML login.
Do you support SAML for JIRA Service Desk?
Yes, both JIRA Service Desk agents and customers are offered SAML login.
How are SAML users mapped to accounts in User Directories?
The chosen SAML user name attribute are matched against existing user directories in the order they appear in the application itself.
What user directories are supported?
Actually, all user directories are supported. Your users may reside in Internal User Directory, Active Directory, Crowd, atlassian-user.xml etc.
Can SAML login be bypassed?
Yes, adding ?nosaml to the login URL will present the standard username/password screen.
Does application links work with our add-on?
Our add-on ignores does not affect how application links work. Because users don`t have to authenticate to each application, we recommend using OAuth Impersonation application links.
How do i get a license?
https://my.atlassian.com. Licenses are bought from Atlassian Marketplace or through your preferred Atlassian Expert
Can we extend our trial beyond 30 days?
Sure, here are direct links to where you can generate new licenses.
- New evaluation license for JIRA
- New evaluation license for Confluence
- New evaluation license for Bitbucket
- New evaluation license for Bamboo
- New evaluation license for FishEye/Crucible
Which license tier do I need when purchasing an add-on?
See Atlassian's licensing FAQ: https://www.atlassian.com/licensing/marketplace#licensingandpricing-1
"Purchase the license tier that matches the number of users you have licensed for your host application. For example, if you have a 25-user Confluence license, purchase the Confluence add-on at the 25-user tier.
The add-on will only function if its license matches or exceeds the tier of the host application – even if only some of your licensed users need to use the add-on."
For JIRA, the license has to match the highest application tier. If you have a 500-user JIRA Software license, and a 250-user Core license, then the license needs to be at the 500 level.
JIRA Service Desk customers can log in with our add on for free since they are not counted against the user tier.
25 JIRA service desk agents and 10000 service desk customers = Kerberos 25 user license
50 JIRA service desk agents, 10000 service desk customers, 500 JIRA Software Users = Kerberos 500 user license
I am receiving an error saying "The NotBefore condition of the SAML assertion failed"
This error means that there is a clock skew of more than 60 seconds. The time between your IDP and the server hosting your application is out of sync.
Note that for security reasons we do not offer to change the maximum time skew.