Configure SAML single sign-on for Okta

Who can do this?
Role: Organization admin
Atlassian Cloud: Atlassian Guard Standard
Atlassian Government Cloud: Available

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between an identity provider and a service, such as Confluence Cloud.

Before you begin

When you set up SAML single sign-on, it applies to all Atlassian Cloud apps. You need to do the following to set up SAML single sign-on:

Create an organization if you don’t have one. Set up an Atlassian organization

Subscribe to Atlassian Guard Standard. Explore Atlassian Guard security policies and features

Verify one or more domains, to confirm you own them. Verify a domain for your organization. When you verify a domain, Atlassian accounts that use email addresses from the verified domain become managed by your organization.

Make sure you're an admin for the Atlassian organization. Understand organization administration

Add an identity provider directory to your organization. How to add an identity provider

Link verified domains to your identity provider directory. How to link domains

Create an authentication policy to test your SAML configuration. After you set up SAML, you can enable single sign-on for the authentication policy.

Configure SAML 2.0 for Atlassian Cloud

This setup might fail without parameter values that are customized for your organization. Use the Okta Admin Console to add an application and view the values specific to your organization.

Atlassian Cloud supports user provisioning with Okta. Configure user provisioning with Okta. If you need further information, contact Atlassian support at support@atlassian.com.

Supported Okta features

The Okta Atlassian Cloud SAML integration currently supports the following features:

Service provider-initiated single sign-on
Identity provider-initiated single sign-on
JIT (Just-In-Time) provisioning

For more information on the listed features, view Okta Glossary

How to configure SAML single sign-on

Before configuring SAML single sign-on, create an Atlassian account that you can use to access your organization even if SAML is misconfigured. The Atlassian account must not use an email address from a domain you verify for this organization. This ensures that the account won't redirect to SAML single sign-on when you sign in.

The account should have both site admin and organization admin access.

Log in to https://admin.atlassian.com as an administrator.
Select your organization, then select Security > Identity Providers.
Select Okta from the list of providers.
Select your Directory.
Under Authenticate users, select Set up SAML single sign-on. This opens the SAML configuration wizard.
On the Before you begin step, click Next.
On the Add SAML details step, enter the following:
- Identity provider Entity ID:
  Sign in to the Okta Admin Console to generate this variable.
- Identity provider SSO URL:
  Sign in to the Okta Admin Console to generate this variable.
- Public x509 certificate:
  Sign in to the Okta Admin Console to generate this variable.

These values Okta admin should copy on the Sign On application tab in the Metadata details section.

On the Copy URLs to your identity provider step, copy your Unique ID value from the SP Entity ID field.
For example, if your SP Entity ID is https://auth.atlassian.com/saml/a1b2c3d4, your Unique ID is a1b2c3d4
Click Next.
On the Link a domain to your identity provider directory step, select your Domain to link.
On the Save and continue step, click Stop and save SAML.
In Okta, select the Sign On tab for the Atlassian Cloud SAML app, then click Edit:
- SAML Attributes (optional):
  - By default Okta supports the following SAML attributes that are mandatory for JIT:
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
  - You can configure additional attributes and their values (mappings) under the Attributes (Optional) section of SAML.
- Enter your Unique ID value (step 8) into the corresponding field.
- Jira Base URL: Enter your Jira Cloud base URL.
  For example: https://[your-subdomain].atlassian.net
- Confluence Base URL: Enter your Confluence Cloud base URL.
  For example: https://[your-subdomain].atlassian.net/wiki (append /wiki to the end of the URL to land on the Confluence dashboard upon signing in).
- Statuspage Base URL: Enter your Statuspage base URL.
  For example: https://manage.statuspage.io
- Select Save.

About SAML attributes

The following SAML attributes are supported:

Name	Value
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname	user.firstName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname	user.lastName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	user.iddName

Service provider-initiated single sign-on

Go to: https://[your-subdomain].atlassian.net
Enter your email, then select Continue.

Was this helpful?

It wasn't accurateIt wasn't clearIt wasn't relevant

Still need help?

The Atlassian Community is here for you.

Ask the Community

Atlassian Support

We’re renaming ‘products’ to ‘apps’