Environment

Can SAML and Kerberos work in combination?

Yes! When both SAML and Kerberos is configured, Active Directory joined devices can benefit from password-less SSO with Kerberos, while mobile phones and other standalone devices are offered SAML SSO.

Which Identity Providers do you support?

We have made step-by-step instructions for the most common IDPs. If you IDP is not listed, then choose "Any SAML 2.0 provider" in the setup wizard. 
If you want to add a vote for your IDP to be added to the setup wizard, don't hesitate to reach out to us. 

Do we need to make any file system changes to offer SAML to mobile devices or JIRA Service Desk?

No, there is no need to make file system changes. Installing Kantega Single Sign-on will give you SSO to both JIRA and JIRA Service Desk. 

What is known domains?

Known domains is both a security feature, and enables the plugin to redirect the user to the correct IDP.

Lets say you have a user mark.miller@example.com. If example.com is a known domain to one IDP, we can redirect the user to that IDP.
If example.com is a known domain for two or more IDP, the user must choose. Remember to select a good name for your IDP.

If known domains is set to "Trust identity provider to login users from any domain", potentially, the IDP can authenticate users from another domain.

Can we add multiple Identity Providers?

Yes, add as many as you like!

Is logging in with mobile devices supported?

Yes, JIRA Mobile and Confluence Mobile clients are offered SAML login. 

Do you support SAML for JIRA Service Desk?

Yes, both JIRA Service Desk agents and customers are offered SAML login.

How can I solve getting a 'BeanInstantiationException: Failed to instantiate [org.kantega.atlaskerb.saml.SamlConfManager]' during startup when using AppDynamics?

When using the AppDynamics agent, the Kantega SSO may fail to enable with a BeanInstantiationException, frequently with internal cause org.w3c.dom.ls.LSException: An unsupported encoding is encountered.

We have reports of customers successfully resolving this by adding the following parameters to the startup script:

-Datlassian.org.osgi.framework.bootdelegation=META-INF.services,com.yourkit,com.singularity.*,com.jprofiler,com.jprofiler.*,org.apache.xerces,org.apache.xerces.*,org.apache.xalan,org.apache.xalan.*,sun.*,com.sun.jndi,com.icl.saxon,com.icl.saxon.*,javax.servlet,javax.servlet.*,com.sun.xml.*,org.apache.xml.serializer,net.shibboleth.utilities.*,org.opensaml.core.*

Can I use "Edit in Office" (WebDav) in combination with SAML for my Conflunece 6.11.x and newer?

Yes, in newer versions starting from Confluence 6.11.x you may use the Atlassian Companion app to edit your Office files also when you log in using SAML.

Can I use "Edit in Office" (WebDav) in combination with SAML for my Conflunece 6.10.x and older?

No, the WebDav technology does not support SAML. If you are using SAML for login into Confluence and want to edit a Word, Excel or PowerPoint document: Please download the document, edit it and then upload it afterwards.

User Directories

How are SAML users mapped to accounts in User Directories?

The chosen SAML user name attribute is matched against existing user directories in the order they appear in the User Directory list. 

What user directories are supported?

Actually, all user directories are supported. Your users may reside in Internal User Directory, Active Directory, Crowd, atlassian-user.xml etc.

Can SAML login be bypassed?

Yes, adding ?nosaml to the login URL will present the standard username/password screen. This is relevant if you want to log into a local administrator account when automatic redirect to SAML identity provider is enabled.

I have a problem with my IdP setup and have been using the "do not show login page" redirect mode. How can I log in locally to fix this?

By adding ?noautosso at the login URL, you will avoid being directly sent to you IdP. You could also press the "Cancel" link that is presented very briefly in the upper left of the screen during the automatic redirect.

Does application links work with our add-on?

Our add-on does not affect how application links work. This is because users do not have to authenticate to each application. We recommend using OAuth Impersonation application links when setting this up.

I am asked for a password to enter the admin section and not able to proceed since my identity has been established through SAML?

This is by design and default activated on Jira and Confluence. If you would like SAML users to be able to enter the admin section without entering their passwords, Atlassian has a way of disabling secure administrator sessions (WebSudo)

https://confluence.atlassian.com/adminjiraserver073/configuring-secure-administrator-sessions-861254024.html