Yes! When both SAML and Kerberos is configured, Active Directory joined devices can benefit from password-less SSO with Kerberos, while mobile phones and other standalone devices are offered SAML SSO.
We have made step-by-step instructions for the most common IDPs. If you IDP is not listed, then choose "Any SAML 2.0 provider" in the setup wizard.
If you want to add a vote for your IDP to be added to the setup wizard, don't hesitate to reach out to us.
No, there is no need to make file system changes. Installing Kantega Single Sign-on will give you SSO to both JIRA and JIRA Service Desk.
Known domains is both a security feature, and enables the plugin to redirect the user to the correct IDP.
Lets say you have a user email@example.com. If example.com is a known domain to one IDP, we can redirect the user to that IDP.
If example.com is a known domain for two or more IDP, the user must choose. Remember to select a good name for your IDP.
If known domains is set to "Trust identity provider to login users from any domain", potentially, the IDP can authenticate users from another domain.
Yes, add as many as you like!
Yes, JIRA Mobile and Confluence Mobile clients are offered SAML login.
Yes, both JIRA Service Desk agents and customers are offered SAML login.
When using the AppDynamics agent, the Kantega SSO may fail to enable with a BeanInstantiationException, frequently with internal cause org.w3c.dom.ls.LSException: An unsupported encoding is encountered.
We have reports of customers successfully resolving this by adding the following parameters to the startup script:
Yes, in newer versions starting from Confluence 6.11.x you may use the Atlassian Companion app to edit your Office files also when you log in using SAML.
No, the WebDav technology does not support SAML. If you are using SAML for login into Confluence and want to edit a Word, Excel or PowerPoint document: Please download the document, edit it and then upload it afterwards.
The chosen SAML user name attribute is matched against existing user directories in the order they appear in the User Directory list.
Actually, all user directories are supported. Your users may reside in Internal User Directory, Active Directory, Crowd, atlassian-user.xml etc.
Yes, adding ?nosaml to the login URL will present the standard username/password screen. This is relevant if you want to log into a local administrator account when automatic redirect to SAML identity provider is enabled.
By adding ?noautosso at the login URL, you will avoid being directly sent to you IdP. You could also press the "Cancel" link that is presented very briefly in the upper left of the screen during the automatic redirect.
Our add-on does not affect how application links work. This is because users do not have to authenticate to each application. We recommend using OAuth Impersonation application links when setting this up.
This is by design and default activated on Jira and Confluence. If you would like SAML users to be able to enter the admin section without entering their passwords, Atlassian has a way of disabling secure administrator sessions (WebSudo)