Unknown macro: {spacetree}
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

Relatert bilde

Setup guide for adding Keycloak login to Atlassian products.

This setup guides assumes that Kantega SSO in installed as an add-on to your Atlassian product (JiraConfluenceBitbucketBamboo, or FeCru).

Context: This setup starts in the Configuration page of the Kantega SSO add-on. This configuration page can be found by pressing "Configure" on "Kantega Single Sign-On (SSO)" in list of installed add-ons.

Log into Keycloak admin 

Log into Keycloak and select your realm. We are using the relam name example.com

Prior to this test, User Federation using LDAP have been set up against the Active Directory domain example.com.

User Federation

In this test we are using userPrincipalName as the usernameme attribute. These settings are found under User Federation, example.com.

Username LDAP attribute: userPrincipalName
RDN LDAP attribute: userPrincipalName

LDAP Mappers,username, LDAP Attribute: userPrincipalName

Adding an Identity Provider

In Kantega Single Sign-on add an identity Provider of the type "Any SAML 2.0 Identity Provider".


  • Copy the ACS URL value and save it for later.
  • Press Next.

Add a Client in Keycloak

  • Make sure the correct realm is selected.
  • Select Clients, then Create.

  • In Client ID, paste the ACS URL from the Prepare step above.
  • Select SAML as the Client Protocol.
  • Press Save.


  • Set Client Signature Required to Off
  • Paste the ACS URL  into the following fields:
    • Valid Redirect URIs.
    • Master SAML Processing URL.


Mappes are only needed if you want to have users automatically created upon login.

If users already exist in JIRA, you can skip this step.

  • In Mappers, we are going to add:
    • lastName
    • givenName
    • email
    • managed groups sent via SAML response

Create mapper for lastName:

Create mapper for givenName

Create mapper for email:

Create mapper for managed group claims:

  • Set Name and Friendely Name to Group 
  • Set Group attribute name to http://schemas.xmlsoap.org/claims/Group
  • Set Full group path to OFF

Metadata import

  • In Kantega Single Sign-on, go to the metadata import step.
  • Importing metadata can be done by providing the metadata URL or by uploading metadata manually.
  • Press Next.


  • Give the Identity Provider a name. (This name is visible to end users.)
  • The SSO Redirect URL is automatically imported from the metadata.
  • Press Next.


  • Review the imported signing certificate (This step is purely informatinal.)
  • Press Next.


  • Select whether users already exist or if you wish to have users automatically created upon login.
  • Note that for users to be created, a name, username and an email must be sent in the SAML response. (See previous insctrucions.)
  • Assign a default group for new users.


  • Review the Summary.
  • Press Finish.

Testing/configuring the identity provider

After finishing the wizard, you will be sent to the test pages for verification of your setup. Here, you may also perform the last configuration parts. Follow this generic introduction to the test pages and final configuration. AD FS is used as the example here.

  • No labels