You are viewing the Kantega SSO legacy documentation. The new documentation site is:
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »


This guide provides step-by-step instructions on how to add Keycloak as an identity provider in JIRA using Kantega Single Sign-on.
The guide can also be used when setting up SAML with Confluence, Bitbucket, Bamboo and FeCru.

Log into Keycloak admin 

Log into Keycloak and select your realm. We are using the relam name

Prior to this test, User Federation using LDAP have been set up against the Active Directory domain

User Federation

In this test we are using userPrincipalName as the usernameme attribute. These settings are found under User Federation,

Username LDAP attribute: userPrincipalName
RDN LDAP attribute: userPrincipalName

LDAP Mappers,username, LDAP Attribute: userPrincipalName

Adding an Identity Provider

In Kantega Single Sign-on add an identity Provider of the type "Any SAML 2.0 Identity Provider".


  • Copy the Entity ID and save it for later.
  • Press Next.

Add a Client in Keycloak

  • Make sure the correct realm is selected.
  • Select Clients, then Create.

  • In Client ID, paste the Entity ID from the Prepare step above.
  • Select SAML as the Client Protocol.
  • Press Save.


  • Set Client Signature Required to Off
  • Paste the Entity ID into the following fields:
    • Valid Redirect URLs.
    • Master SAML Processing URL.


Mappes are only needed if you want to have users automatically created upon login.

If users already exist in JIRA, you can skip this step.

  • In Mappers, we are going to add:
    • lastName
    • givenName
    • email

Create mapper for lastName:

Create mapper for givenName

Create mapper for email:

Metadata import

  • In Kantega Single Sign-on, go to the metadata import step.
  • Importing metadata can be done by providing the metadata URL or by uploading metadata manually.
  • Press Next.


  • Give the Identity Provider a name. (This name is visible to end users.)
  • The SSO Redirect URL is automatically imported from the metadata.
  • Press Next.


  • Review the imported signing certificate (This step is purely informatinal.)
  • Press Next.


  • Select whether users already exist or if you wish to have users automatically created upon login.
  • Note that for users to be created, a name, username and an email must be sent in the SAML response. (See previous insctrucions.)
  • Assign a default group for new users.


  • Review the Summary.
  • Press Finish.

Testing/configuring the identity provider 

  • The test page is anonymously accessible. This means that the identity provider admin does not need JIRA access to perform the login test.

  • Open the login test URL in a private / incognito browser window and perform a test logon.

Mark Miller performs a test logon in an incognito window.

The following shows a successful login test. 

SSO test results

After a test logon is performed, go back to Test Results and select Results

Add the domain as a known domain will be created in the JIRA Internal Directory when logging in.

The following message will appear if a user with the username already exists.

Redirect mode

After setting up SSO choose a redirect mode that best fit your use case. 

Users should now be able to log into JIRA using Keycloak.

  • No labels