You are viewing the Kantega SSO legacy documentation. The new documentation site is: https://kantega-sso.atlassian.net/wiki/x/hwAb

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


...

Section



Column
width750px

Welcome to the

Kantega Single

...

 

• SAML SSO

• Windows Intergrated Login (Kerberos)

• Cloud User Synchronization 

We proudly provide support for the two single sign-on protocols SAML and Kerberos. In addition, we have built connectors for synchronizing users and groups from popular cloud-based user directories. This enables you to manage your users' roles for your Atlassian server products in one centralized place. The connecor feature works elegantly together with SAML. Using our add-on makes it possible to combine Kerberos, SAML and regular username/password-based login, in a flexible way. Try our products

So which SSO solution do I choose, you say?

The two mechanisms we support, SAML and Kerberos, are what we consider the most prolific and secure.  At the same time, they have significant differences and are therefore applicable in different situations.  

Kerberos

Kerberos is capable of completely transparent SSO by having your browser deliver a Kerberos ticket to our add-on telling what user securely is logging in. Often, Kerberos is the preferred solution in a Windows based environment where login to the Windows machine can be used to automatically authenticate with the Atlassian server products through Windows Integrated Authentication (IWA). Kerberos requires that client machines have access to a Key Distribution Center (KDC), which in the Windows world generally means Active Directory. For security reasons, AD is generally not reachable outside the local network/corporate intranet, making Kerberos mainly applicable within a company.

SAML

SAML is flexible and widespread solution for single sign-on. It offers the ability to identify users in your Atlassian server products via practically any SAML 2.0 identity provider on the web. And there are probably thousands of these services. We have prepared wizard support and guides for the top 10-15 most common, but you should be able to use any SAML 2.0 compliant IdP.

SAML was designed for the WWW, and is quite different from Kerberos. In SAML, when users access the Atlassian server product without a valid session, they are redirected to an Identity Provider (IdP) login portal. This is typically a centralized web service for establishing users' identities and can range from the company's internal ADFS or KeyCloak server, to cloud providers like Google GSuite, Okta and Ping. Due to this redirection, and because most IdP authentication is username and password based, SAML is more "noticeable" for the user than Kerberos. However, SAML does not require a centralized KDC and so avoids the local network/intranet restriction that limits the use of Kerberos.

By also activating the connector feature in your SAML setup, we offer you to have a clean architecture by only leaving your users in your cloud based user directory. Whenever a user is created, removed or changes roles, this is synchronized through the connector to your favorite Atlassian server products. The connector creates a virtual user directory that your Atlassian server products see that contain all your users and groups from your cloud. Currenctly we have support for connectors to Azure AD, Google G-Suite and Okta.

In combination

Therefore, organizations often prefer to set up Kerberos for the most hassle-free login experience when the user is present at his desktop machine on the office. While SAML is set up in addition for enabling the user to log in when she is on the run outside the office or when accessing from cellphones or other non-Kerberos compatible devices.

Below you will find additional details about all the features of Kantega Single Sign-on.

Support

We take pride in offering quick, relevant and effective support. If you have a problem, please reach out to us. Do not hesitate to contact us in case you have questions. See also our Kantega Single Sign-on FAQ

We will guide you through

SSO with Integrated Windows Authentication (IWA, Kerberos)

Kerberos SSO gives the end user access to Atlassian products without entering a user name and password. Kerberos is typically used in an enterprise LAN, and is the preferred choice for Kerberos domains such as Windows domains and Microsoft Desktop environments.

Configuring Kerberos Single Sign-on

Addiotional guides

Setup tips

SSO with SAML

The SAML standard facilitates secure exchange authentication and authorization information, so users are allowed to login to the Atlassian products through third party identity providers.

Configuring SAMLSingle Sign-on

Setup tips

Connectors

Kantega SSO version 3 introduces the new Cloud connectors feature, that gets your Atlassian user directories synced to cloud directories.

Configuring Cloud Connectors

...

sign-on Documentation


Column




Image Added

Section


Column
width750px


HTML
<script>
var idelem = 
		document.getElementById("title-text");
idelem.style.visibility = "hidden";
function kssounselect(){
	var elems = 
        document.getElementsByClassName("ksso--content--guide");


	var i;
	for (i = 0; i < elems.length; i++) {
	    elems[i].style.display = "none";
	}
}


function kssoselectGuide(guideName){
	var elem = 
		document.getElementById(guideName+"Guide");


	elem.style.display = "block";
}

function kssohandleLinkClick(guide){
	kssounselect();
	kssoselectGuide(guide);
}


</script>


<section class="ksso--card">
  <div class="ksso--imgbox">
    <img class="ksso--imgbox--img" src="https://docs.kantega.no/download/attachments/48300079/kompass.png" />
  </div>


  <div class="ksso--contentbox">
    <div id="guideSelectorGuide" class="ksso--content--guide">
      <h2 class="ksso--cardribbon">Getting started</h2>
      <p>Select where you keep your users, and your setup guide will appear.</p>
      <p>If you have more that one location, you can add more later.</p>
      <div class="ksso--topmargin">
        <!-- Trigger -->
        <a href="#saml-links-trigger" style="text-decoration:none;margin:20px;background-color:#172B4D;">
          <button
            class="aui-button aui-button-primary aui-dropdown2-trigger"
            aria-owns="saml-links"
            aria-haspopup="true"
            style="background-color:#CC2029;"
          >
            Choose your user directory
          </button>
        </a>

        <!-- Dropdown -->
        <div id="saml-links" class="aui-style-default aui-dropdown2">
          <div class="aui-dropdown2-section">
            <div class="aui-dropdown2-heading"><strong>On premise</strong></div>
            <ul>
              <li><a href="#" onclick="kssohandleLinkClick('ad')">AD (Active Directory)</a></li>
              <li><a href="#" onclick="kssohandleLinkClick('adfs')">AD with ADFS</a></li>
              <li><a href="#" onclick="kssohandleLinkClick('keycloak')">Keycloak</a></li>
              <li><a href="#" onclick="kssohandleLinkClick('pingfederate')">Ping federate</a></li>
            </ul>
          </div>
          <div class="aui-dropdown2-section">
            <div class="aui-dropdown2-heading"><strong>Cloud</strong></div>
            <ul>
              <li><a href="#" onclick="kssohandleLinkClick('azuread')">Azure AD / Office 365</a></li>
              <li><a href="#" onclick="kssohandleLinkClick('gsuite')">GSuite</a></li>
              <li><a href="#" onclick="kssohandleLinkClick('okta')">Okta</a></li>
              <li><a href="#" onclick="kssohandleLinkClick('onelogin')">OneLogin</a></li>
              <li><a href="#" onclick="kssohandleLinkClick('pingone')">PingOne</a></li>
              <li><a href="#" onclick="kssohandleLinkClick('auth0')">Auth0</a></li>
              <li><a href="#" onclick="kssohandleLinkClick('authanvil')">Authanvil</a></li>
              <li><a href="#" onclick="kssohandleLinkClick('bitium')">Bitium</a></li>
              <li><a href="#" onclick="kssohandleLinkClick('duo')">Duo</a></li>
              <li><a href="#" onclick="kssohandleLinkClick('salesforce')">Salesforce</a></li>
              <li><a href="#" onclick="kssohandleLinkClick('wso2')">WSO2</a></li>
            </ul>
          </div>

          <div class="aui-dropdown2-section">
            <div class="aui-dropdown2-heading"><strong>General</strong></div>
            <ul>
              <li>
                <a href="https://docs.kantega.no/display/KA/Any+other+SAML+2.0+provider">Any SAML 2.0 compliant IDP</a>
              </li>
            </ul>
          </div>
        </div>
      </div>
    </div>

    <!-- panels -->
    <div id="azureadGuide" class="ksso--content--guide" style="display:none;">
      <h2 class="ksso--cardribbon">Getting started with Azure AD / Office 365</h2>
      <p>With Azure AD you can set up both SAML SSO and connectors for Cloud User Provisioning.</p>


      <p>SAML SSO enables users on any client (both mobile and desktop) get Azure login to the Atlassian products.</p>

      <p><a href="https://docs.kantega.no/display/KA/Azure+AD">Setup guide for enable SSO with Azure AS</a></p>

      <p>
        Cloud user provisions gives a clean architecture by keeping Atlassian user and access management in your GSuite
        cloud. Whenever a user is created, removed or changes roles, this is synchronized through the connector to your
        favorite Atlassian products. The cloud connector creates a virtual user directory that your Atlassian products
        see containing all your users and groups
      </p>
      <p>
        <a href="https://docs.kantega.no/display/KA/Cloud+user+provisioning"
          >Setup guide for Azure AD user provisioning</a
        >
      </p>
      <div class="ksso--content--guide--backselector">
        <a href="#" onclick="kssohandleLinkClick('guideSelector')" style="color:silver;">reset selector</a>
      </div>
    </div>

    <div id="gsuiteGuide" class="ksso--content--guide" style="display:none;">
      <h2 class="ksso--cardribbon">Getting started with Google GSuite</h2>
      <p>With GSuite, you can setup both SAML Single Sign On and Cloud User Provisioning.</p>
      <p>
        SAML SSO works on both mobile and desktop clients and gives your users GSuite login to the Atlassian products.
      </p>

      <p><a href="https://docs.kantega.no/display/KA/Google+GSuite">GSuite sso setup guide</a></p>

      <p>
        Cloud user provisions gives a clean architecture by keeping Atlassian user and access management in your GSuite
        cloud. Whenever a user is created, removed or changes roles, this is synchronized through the connector to your
        favorite Atlassian products. The cloud connector creates a virtual user directory that your Atlassian products
        see containing all your users and groups
      </p>

      <p><a href="https://docs.kantega.no/display/KA/Cloud+user+provisioning">GSuite user provisioning guide</a></p>

      <div class="ksso--topmargin"><a href="#" onclick="kssohandleLinkClick('guideSelector')">reset selector</a></div>
    </div>

    <div id="oktaGuide" class="ksso--content--guide" style="display:none;">
      <h2 class="ksso--cardribbon">Getting started with Okta</h2>
      <p>With Okta, you can setup both SAML Single Sign On and Cloud User Provisioning.</p>

      <p>
        SAML SSO works on both mobile and desktop clients and gives your users Okta login to the Atlassian products.
      </p>

      <p><a href="https://docs.kantega.no/display/KA/Okta">Okta sso setup guide</a></p>

      <p>
        Cloud user provisions gives a clean architecture by keeping Atlassian user and access management in your Okta
        cloud. Whenever a user is created, removed or changes roles, this is synchronized through the connector to your
        favorite Atlassian products. The cloud connector creates a virtual user directory that your Atlassian products
        see containing all your users and groups
      </p>
      <p><a href="https://docs.kantega.no/display/KA/Okta">Okta provisioning stup guide</a></p>

      <div class="ksso--content--guide--backselector">
        <p><a href="#" onclick="kssohandleLinkClick('guideSelector')">reset selector</a></p>
      </div>
    </div>

    <div id="oneloginGuide" class="ksso--content--guide" style="display:none;">
      <h2 class="ksso--cardribbon">Getting started with OneLogin</h2>
      <p>With OneLogin you can setup both SAML Single Sign On to the Atlassian server and data center products.</p>

      <p>
        SAML SSO works on both mobile and desktop clients and gives your users OneLogin login to the Atlassian products.
      </p>
      <p><a href="https://docs.kantega.no/display/KA/OneLogin">OneLogin sso setup guide</a></p>
      <div class="ksso--content--guide--backselector">
        <p><a href="#" onclick="kssohandleLinkClick('guideSelector')">reset selector</a></p>
      </div>
    </div>

    <div id="pingoneGuide" class="ksso--content--guide" style="display:none;">
      <h2 class="ksso--cardribbon">Getting started with Ping One</h2>

      <p>With Ping One you can setup both SAML Single Sign On to the Atlassian server and data center products.</p>

      <p>
        SAML SSO works on both mobile and desktop clients and gives your users Ping One login to the Atlassian products.
      </p>
      <p><a href="https://docs.kantega.no/display/KA/PingOne">Ping One sso setup guide</a></p>
      <div class="ksso--content--guide--backselector">
        <a href="#" onclick="kssohandleLinkClick('guideSelector')">reset selector</a>
      </div>
    </div>

    <div id="auth0Guide" class="ksso--content--guide" style="display:none;">
      <h2 class="ksso--cardribbon">Getting started with Auth0</h2>
      <p>With Auth0 you can setup both SAML Single Sign On to the Atlassian server and data center products.</p>

      <p>
        SAML SSO works on both mobile and desktop clients and gives your users OneLogin login to the Atlassian products.
      </p>
      <p><a href="https://docs.kantega.no/display/KA/Auth0">Setup guide for Auth0</a></p>
      <div class="ksso--content--guide--backselector">
        <a href="#" onclick="kssohandleLinkClick('guideSelector')">reset selector</a>
      </div>
    </div>

    <div id="authanvilGuide" class="ksso--content--guide" style="display:none;">
      <h2 class="ksso--cardribbon">Getting started with AuthAnvil</h2>
      <p>With AuthAnvil you can setup both SAML Single Sign On to the Atlassian server and data center products.</p>

      <p>
        SAML SSO works on both mobile and desktop clients and gives your users OneLogin login to the Atlassian products.
      </p>
      <p><a href="https://docs.kantega.no/display/KA/AuthAnvil">AuthAnvil setup guide</a></p>
      <div class="ksso--content--guide--backselector">
        <a href="#" onclick="kssohandleLinkClick('guideSelector')">reset selector</a>
      </div>
    </div>

    <div id="bitiumGuide" class="ksso--content--guide" style="display:none;">
      <h2 class="ksso--cardribbon">Getting started with Bitium</h2>
      <p>With Bitium you can setup both SAML Single Sign On to the Atlassian server and data center products.</p>

      <p>
        SAML SSO works on both mobile and desktop clients and gives your users Bitium login to the Atlassian products.
      </p>

      <p><a href="https://docs.kantega.no/display/KA/Bitium"> Setup guide for Bitium</a></p>
      <div class="ksso--content--guide--backselector">
        <a href="#" onclick="kssohandleLinkClick('guideSelector')">reset selector</a>
      </div>
    </div>

    <div id="duoGuide" class="ksso--content--guide" style="display:none;">
      <h2 class="ksso--cardribbon">Getting started with Duo</h2>
      <p>With Duo you can setup both SAML Single Sign On to the Atlassian server and data center products.</p>

      <p>SAML SSO works on both mobile and desktop clients and gives your users Duo login to the Atlassian products.</p>
      <p><a href="https://docs.kantega.no/display/KA/Duo">Setup guide for Duo</a></p>
      <div class="ksso--content--guide--backselector">
        <a href="#" onclick="kssohandleLinkClick('guideSelector')">reset selector</a>
      </div>
    </div>

    <div id="salesforceGuide" class="ksso--content--guide" style="display:none;">
      <h2 class="ksso--cardribbon">Getting started with Salesforce</h2>
      <p>With Salesforce you can setup both SAML Single Sign On to the Atlassian server and data center products.</p>

      <p>
        SAML SSO works on both mobile and desktop clients and gives your users Salesforce login to the Atlassian
        products.
      </p>
      <p><a href="https://docs.kantega.no/display/KA/Salesforce">Setup guide for SSO with Salesforce</a></p>
      <div class="ksso--content--guide--backselector">
        <a href="#" onclick="kssohandleLinkClick('guideSelector')">reset selector</a>
      </div>
    </div>

    <div id="wso2Guide" class="ksso--content--guide" style="display:none;">
      <h2 class="ksso--cardribbon">Getting started with Salesforce</h2>
      <p>With WSO2 you can setup both SAML Single Sign On to the Atlassian server and data center products.</p>

      <p>
        SAML SSO works on both mobile and desktop clients and gives your users WSO2 login to the Atlassian products.
      </p>
      <p><a href="https://docs.kantega.no/display/KA/WSO2">Setup guide to SSO with WSO2</a></p>
      <div class="ksso--content--guide--backselector">
        <a href="#" onclick="kssohandleLinkClick('guideSelector')">reset selector</a>
      </div>
    </div>

    <!-- on premise -->
    <div id="keycloakGuide" class="ksso--content--guide" style="display:none;">
      <h2 class="ksso--cardribbon">Getting started with Keycloak</h2>
      <p>With Keycloak you can setup both SAML Single Sign On to the Atlassian server and data center products.</p>

      <p>
        SAML SSO works on both mobile and desktop clients and gives your users Keycloak login to the Atlassian products.
      </p>

      <p><a href="https://docs.kantega.no/display/KA/Keycloak">Keycloak guide</a></p>
      <div class="ksso--content--guide--backselector">
        <a href="#" onclick="kssohandleLinkClick('guideSelector')">reset selector</a>
      </div>
    </div>

    <div id="pingfederateGuide" class="ksso--content--guide" style="display:none;">
      <p><b>With Ping Federate your users can log on from any location.</b></p>
      <p>
        Get started by following this guide:
        <b><a href="https://docs.kantega.no/display/KA/Ping+Federate">Setup guide for Ping Federate</a></b>
      </p>
      <div class="ksso--content--guide--backselector">
        <a href="#" onclick="kssohandleLinkClick('guideSelector')">reset selector</a>
      </div>
    </div>

    <div id="adfsGuide" class="ksso--content--guide" style="display:none;">
      <p>ADFS allows you to setup both Integrated Windows Authentication (IWA) and SAML - also in combination.</p>

      <p>
        IWA authenticates users on trusted internet zones automatically through their windows session -
        <b>no need to type username and password.</b>
      </p>
      <p>
        <a href="https://docs.kantega.no/pages/viewpage.action?pageId=819313"
          >Setup guide for Integrated Windows Authentication</a
        >
      </p>

      <p>
        SAML allows users to log in from any location and with any device through the ADFS identity provider.
        <a href="https://docs.kantega.no/display/KA/AD+FS">Setup guide for ADFS</a>
      </p>
      <div class="ksso--content--guide--backselector">
        <a href="#" onclick="kssohandleLinkClick('guideSelector')">reset selector</a>
      </div>
    </div>

    <div id="adGuide" class="ksso--content--guide" style="display:none;">
      <p>
        With Microsoft Active Directory you can setup Integrated Windows Authentication (Kerberos) and give users on
        trusted networks the a <b>completely password-free</b> login experience.
      </p>
      <p>
        <a href="https://docs.kantega.no/pages/viewpage.action?pageId=819313"
          >Setup guide for Integrated Windows Authentication</a
        >
      </p>
      <p class="kssotopmargin"><a href="#" onclick="kssohandleLinkClick('guideSelector')">reset selector</a></p>
    </div>
  </div>
</section>


--Or just jump straight to one of our guides--


Setup guide for Integrated Windows Authentication (Kerberos) for AD

Integrated Windows Authentication

Setting up Kerberos for Mac users

Setup guides for SAML

Section



Column

Cloud directories

Azure AD

Google GSuite

Okta

OneLogin

PingOne

Auth0

AuthAnvil

Bitium

Duo

Salesforce

WSO2


Column

On premise solutions

Keycloak

Ping Federate

AD FS


General

Any other SAML 2.0 provider



Cloud User Provisioning

Azure AD / Office 365

Google GSuite

Okta




Column