Integration Atlassian Guard with Entra ID(fka Azure AD)
- Kwang Seob Jeong
- Nayoung Yun
This explains how to use SAML and SSO by integrating Guard and Entra ID.
Requirements
An Atlassian Guard subscription is required.
Entra ID
Install the Entra ID app for Atlassian Cloud.
1. Log in to the Microsoft Entra admin center as a Cloud Application Administrator.
Move to ID → Application → Enterprise Application → New Application.
3. Type "Atlassian Cloud" in the search box of the additional section in the Gallery.
4. Click Create to add an Atlassian cloud app.
SAML Configuration
After logging into admin.atlassian.com, select Security → Identity Provider → Azure AD.
After setting the directory name, select “Manually configure user provisioning settings” in the Azure options.
3. Click on SAML Single Sign-On Settings.
Click Next.
Open a new browser window to Add SAML Details and log in to the Microsoft Entra admin center as a Cloud Application Administrator.
Move to ID → Application → Enterprise Application and click Atlassian Cloud. Then select Single Sign-On settings below.
Click on SAML in the SSO method selection.
On the Single Sign-On setup page with SAML, scroll down to configure Atlassian Cloud. Copy the “Login URL” and Microsoft Entra identifier.
Paste it into the Atlassian Guard setting.
10. In the SAML Signature Certificate section, after finding the Certificate (Base64), click Download to download the certificate to your computer, then open the file with an editor.
Copy the certificate and paste it into the "Public x509 certificate" field of Atlassian Guard, then click Next.
12. The Entity URL and ACS (Assertion Consumer Service) will be displayed. After copying this value, switch to "Set up Single Sign-On with SAML" in Microsoft Entra ID.
Click “Basic SAML Configuration" and click Edit.
With the copied values from 12, paste the “Service Provider Entity URL” into the Identifier (Entity ID) field, and paste the “Service Provider ACS URL” into the Reply URL. Then, add the address of the Atlassian Cloud you are using to the “Login URL”. (like hkmc-cci.atlassian.net)
Edit attributes & claims
16. Click Unique user ID.
17. Atlassian Atlassian Cloud requires a name identifier (a unique user identifier) to be mapped to the user's email (user.email).
If you have M365, edit the original attribute change it to user.mail, and save it.
In the end, you should end up with a mapping that looks like this
attribute and claim
givenname user.givenname
surname user.surname
emailaddress user.mail
name user.userprincipalname
고유한 사용자 ID user.mailIf you don't have M365, the email for that user is stored in the userprincipalname attribute, so change it to user.userprincipalname and save it.
In the end, you should end up with a mapping that looks like this
attribute and claim
givenname user.givenname
surname user.surname
emailaddress user.mail
name user.userprincipalname
고유한 사용자 ID user.userprincipalname18. Once you're done setting up, press the Test SSO button to verify that it works.
19. Now, back in Guard, click Next and select the domain you want to associate with the IdP.
20. You're done configuring SAML, click “Stop and save SAML”.
Set up provisioning
1. On the Security → Identity Providers → “Microsoft Entra ID” screen, click User Provisioning.
Read the prompts and click Next.
3. Copy the generated SCIM base URL (1) and API key (2).
4. Log in to the Microsoft Entra Admin Center and click on “User Account Prospecting”.
5. On the “Identity Lifecycle Automation” screen, click the Start button.
6. On the Credentials screen, copy the directory base URL(1 ) created by Guard in step 1 to “Tenant URL”, paste the API key(2 ) into Secret Token, click Test Connection, and then click Save.
7. Once provisioning starts, check the “Provisioning log” to make sure it's working properly.