Azure Active Directory - SSO guide

Azure AD (Active Directory) - SSO Setup

Create an enterprise application

In order to create an enterprise application, you will need the following:

1 - An Azure AD user account. If you don't have one yet, you can Create an account for free.

2 - One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

3- Completion of the steps in Quickstart: Add an enterprise application.

Once you have created your AD account,

  1. Navigate back to the homepage.

  2. Select “More Services”

     

  3. On the sidebar, navigate to the “Identity” tab

  4. Select the “Enterprise applications”

     

  5. Select “New Application

     

  6. Select ”Create your own application”

  7. Provide a name

  8. Select the “Integrate any other application you don't find in the gallery (Non-gallery)” option

  9. Select the “Create” button

You have now created the application.

Set up single sign-on

  1. Select the “Single sign-on” tab

     

  2. Select the “SAML” card

     

  3. The following page will open

    • Here you set the configuration, there are 4 steps and 1 step to test the scheme.

       

       

SSO configuration

  1. Step one includes the basic SAML configuration, select the 3 dots on the right corner of this card and click on the “edit” button.

    • Identifier (Entity ID)

      • Open the global settings of External Share on your Jira instance

        • (Apps dropdown menu > External Share > Global Settings > SSO configuration)

      • Enable SAML SSO by ticking the box

      • Copy the “Issuer ID” value

      • Click on Add identifier (On Azure)

      • Paste the value into the “Identifier” field

    • Reply URL (Assertion Consumer Service URL)

      • Click on Add Reply URL

      • Open the global settings of External Share on your Jira instance

      • Copy the “Assertion Consumer URL” value

      • Click on Add Reply URL (On Azure)

      • Paste the value into the “Reply URL” field

    • Sign on URL

      • Open the global settings of External Share on your Jira instance

      • Copy the value from the “Service Provider Login Url” field and paste it into the “Sign on URL” field. Note that this value is generated dynamically when Workspace name is changed.

    • Relay State

      • Open the global settings of External Share on your Jira instance

      • Copy the “Default Relay State” value

      • Paste the value into the “Relay state” field

    • Save

  2. Step two “Attribute and Claims”

    • Please ensure that the “Unique User Identifier” is set to “user.mail”, External Share treats user email addresses as their unique identifier

    • Please keep in mind you only need to provide the following information. No additional attributes are required

       

       

  3. SAML Certificates, step three

    • Download the “PEM Certificate”

      • Open with notepad

      • Copy the value

      • Paste this value into the “Certificate” field on the global settings of External Share on your Jira instance

    • Please make sure to check the expiry date for the certificate, once the certificate is expired, it needs to be manually rotated.

  4. Set up, step four

    • Copy the “Login URL” value and paste it into the “Login URL” field on the global settings of External Share on your Jira instance

    • Copy the “Azure AD Identifier” value and paste it into the “Identifier” field on the global settings of External Share on your Jira instance

    • Choose a name for your “Workspace identifier” field - Please note that your workplace identifier is the data used to identify your Jira instance and your users will need to use this identifier in order to login via SSO, therefore this information must be actively available to users.

    • Save

There are no users assigned at this stage.

Assign users

  1. Navigate to “Users and groups” (Sidebar menu)

  2. Select the “Add user/group” button (on the navigation bar)

  3. Click on the “Users” field

  4. Add the users you wish to whitelist

  5. Click on the “Assign” button

Configuring SSO does NOT automatically limit users share access to SSO, you must first Require Corporate SSO login when accessing shares.

If you wish to ensure the identity of external users is checked with your identity provider when accessing shares, you must require this option in the security tab in External Share.