Skip to main content
Version: 6.22.2

Set Up Single Sign-On for Atlassian Products

This guide provides step-by-step instructions for setting up single sign-on (SSO) on Jira, using miniOrange and Keycloak.

Prerequisites

  • Access to Keycloak Master Realm
  • Make sure you have an instance of Jira up and running.
  • Do not log into the Atlassian app until instructed in the following steps.

Initial Setup in Jira

Log In as Administrator User

  1. Navigate to Jira and log in as the administrator (admin) user.
  2. Complete the initial settings as prompted. Select "Start with a blank project", if unsure.
  1. Click on the Settings gear icon in the top-right corner.
  2. Select Manage Apps. Note: For Jira, also click Manage Apps on the left side.

Non Air-Gapped Environment

  1. Click on Find new apps.
  2. Search for miniorange.
  3. From the results, click on Single Sign On (SSO) via OAuth and OpenID for Jira.
  4. Click on Free trial, install the app.

Air-Gapped Environment

  1. Scroll to the bottom, and click Settings.
  2. Uncheck Connect to the Atlassian Marketplace, and click Apply.
  3. Click Upload app.
  4. Install the Jira miniOrange app file that was uploaded to an S3 bucket as part of your data transfer. It is available at the following link: https://marketplace.atlassian.com/apps/1217688/single-sign-on-sso-via-oauth-openid-for-jira-dc-and-cloud/version-history

Activate License

  1. Click on Manage apps again.
  2. Select the miniOrange app, paste your valid miniOrange SSO app license key, and click Update.

Keycloak Configuration

note

SmoothGlue will automatically configure this client out of the box. This serves primarily as reference if opting out of the auto-SSO feature. Skip to Retrieve Client Secret if not manually setting up the Keycloak client.

  1. Log in to Keycloak as an admin user.
  2. Make sure to select the appropriate realm (smoothglue).

Create OpenID Connect Client

  1. While you are in the smoothglue realm, click on Clients under Manage in the left pane.
  2. Click Create client.
  3. Enter client name jira for Client ID.
  4. Click on the Next button.
  5. Toggle on Client authentication.
  6. Click on the Next button. Note: The application's FQDN name may be obtained by running kubectl get virtualservice -A
  7. Enter https://{{ application_fqdn }}/plugins/servlet/oauth/callback for Valid Redirect URIs.
  8. Click on the Save button.

Retrieve Client Secret

Retrieve the client_secret from the Keycloak client:

  1. As a Keycloak Admin and within the smoothglue realm, click Clients on the left-hand panel.
  2. Click on the jira client.
  3. Click on the Credentials tab.
  4. Copy the value from the Client Secret field.

Final Configuration in Jira

Configure OAuth in miniOrange Plugin

  1. Navigate to the miniOrange plugin in Jira.
  2. Click on Add New App, enter Keycloak.
  3. Select Keycloak version as 18 or above.
  4. Custom App Name as keycloak.
  5. Client Id as jira.
  6. Client Secret from the earlier section.
  7. Scope as openid.
  8. Domain URL as https://{{ keycloak_fqdn }}/auth.
  9. Realm name as smoothglue.
  10. Logout Endpoint as https://{{ keycloak_fqdn }}/auth/realms/smoothglue/protocol/openid-connect/logout.
  11. Click on Save.
  12. You can click on Test Configuration to verify that you are presented with the Keycloak login screen.

Configure Jira User Server

In SmoothGlue, Jira is intended to be the primary user store for Jira and Confluence. Users are dynamically created when logging in from Keycloak. Please use the following steps to setup the Jira User Server:

  1. Login to Jira as an administrator.
  2. Click on the Settings gear icon in the top-right corner.
  3. Click User management.
  4. Click Jira user server in the left-hand panel.
  5. Click Add application.
  6. Enter confluence for Application name.
  7. Enter a password a sufficiently long password.
  8. Enter 0.0.0.0/0 for IP Addresses.
  9. Click Save.

Create Confluence Groups

By default, Confluence has two groups that assign privileges to users:

  1. confluence-users
  2. confluence-administrators

A System Integrator needs to create these groups from Jira so that users can be assigned one or both of these two groups from Console.

  1. Login to Jira as an administrator.
  2. Click on the Settings gear icon in the top-right corner.
  3. Click User management.
  4. Click Groups in the left-hand panel.
  5. On the right-side enter confluence-users and click Add group
  6. On the right-side enter confluence-administrators and click Add group