Configuration Guides

Configuring SAML SSO with Atlassian Cloud and PingFederate

About this task

The following table details the required and optional attributes to be configured in the assertion attribute contract.

Attribute Name Description Required / Optional

SAML_SUBJECT

Email Address

Required

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

First Name

Required

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Surname

Required

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

ID (not email)

Required

The following table details the references that are used within this guide that are environment specific. Replace these with the suitable value for your environment.

Reference Description

TenantSSOID

Tenant single sign-on (SSO) ID, retrieved from Atlassian Cloud SAML Single Sign-on configuration as part of EntityID and Assertion Consumer Service (ACS) URL.

Create a PingFederate SP connection for Atlassian Cloud

The following configuration is untested, and is provided as an example. Additional steps might be required.

  1. In Atlassian Cloud, go to Security → SAML Single Sign-on and sign on to Atlassian Cloud as an administrator.

  2. Make a note of the Entity ID and ACS URL values.

    You will need these later.

  3. Sign on to the PingFederate administrative console.

  4. Using the details retrieved from the application UI:

    • Configure using Browser SSO profile SAML 2.0.

    • Enable the IDP-Initiated SSO SAML profile.

    • Enable the SP Initiated SSO SAML profile.

    • In Assertion Creation → Attribute Contract, set the Subject Name Format to urn:oasis:names:tc:SAML:2.0:attrname-format:emailAddress.

    • Add the following attributes as type urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified:

      • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

      • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

      • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

    • In Assertion Creation → Attribute Contract Fulfilment:

      • Map attribute SAML_SUBJECT to the attribute mail.

      • Map attribute givenname to the attribute givenName.

      • Map attribute surname to the attribute sn.

      • Map attribute name to the non-email unique identifier, such as uid.

    • In Protocol Settings:

      • For Assertion Consumer Service URL, enter the consumer service URL retrieved from Atlassian and configure as index 0.

      • For Allowable SAML Bindings, enable Redirect and POST.

  5. Export the signing certificate public key.

    SP Connections page

Configure the PingFederate IdP connection for Atlassian Cloud

The following configuration is untested and is provided as an example. Additional steps might be required.

  1. Sign in to Atlassian Cloud as an administrator.

  2. Go to Security → SAML Single Sign-on.

  3. Click Add SAML Configuration.

  4. Enter the following details:

    • In the Identity Provider Entity ID field, enter the Issuer value for your PingFederate environment configuration.

    • In the Identity Provider SSO URL field, enter the SSO URL for your PingFederate environment configuration.

    • In a text editor, open the certificate you downloaded during the PingFederate and paste the contents of the certificate into the Public x509 Certificate field.

  5. Click Save Configuration.