SSO - types of authorization
SAML (Security Assertion Markup Language) is a popular open standard for authentication and authorisation between two parties.
In our case these parties are:
- Identity provider (IDP) on one end – ADFS, OneLogin, Centrify, Okta, etc.
and - Service provider (SP) on the other end – Jira, Confluence, Bitbucket, Bamboo, and FishEye/Crucible.
User authentication can be initiated both from the Atlassian application (SP initiated) or directly from the identity provider page (IDP initiated).
You will use this information when preparing login URL.
Identity Provider (IDP) Initiated SSO
IDP initiated approach is simpler than the SP initiated one. In this case you should just copy static login URL from the IDP side (look into documentation on your IDP or ask your IDP support) to the Login URL property on the SSO configuration page. Here is an example of Jira SSO configuration page.
Service Provider (SP) Initiated SSO
In this case the SAML request is generated on the side of Global SSO app each time when a user tries to log in. IDP checks this request and based on whether this request validated or not, IDP would send or not send the assertion and make a user log in in case the user is not logged in yet. The SP initiated SSO is considered to be more secure than the IDP initiated approach.
Here you should
- Add the "/sso/consumer/redirect" path to Exclude paths field on the SSO configuration page.
- Prepare login URL using the next pattern:
https://${your.domain.com}/${app-path}/plugins/servlet/sso/consumer/redirect?RelayState=https:/${your.domain.com}/${app-path}
Where the RelayState is your application URL.