I tried to get it working, even raised a support request with Atlassian, but their response was pretty much a straight “No”:
Auth0 is not on our supported SAML providers list at the moment and we don’t have the internal solution to help on the integration
Below is an outline of the things I tried
On the Auth0 side:
- created a new Auth0 client in my Auth0 account named “atlassian-cloud”
- went into the settings, enabled the “SAML 2.0 web app” addon
- set
https://id.atlassian.com/login/saml/acs
as the callback url 1
- left the
settings
alone
- (I think this is wrong, see below 2)
On the Atlassian side:
- have a verified domain
- enabled SAML beta support
- set the
Identity provider Entity ID
to urn:auth0:<my account name>:atlassian-cloud
as per these Auth0 instructions
- set the
Identity provider SSO URL
to https://<account anme>.au.auth0.com/samlp/<code>
(from the Endpoint tab of the advanced settings of the Auth0 client)
This didn’t work - when trying to login to Confluence, it would redirect to Auth0 and I would login there successfully, but then when redirected back to the callback url at https://id.atlassian.com/login/saml/acs
, I’d get an error from Atlassian, no further info.
1 I use that url as the SAML addon callback, because when I used the URL of my confluence site as the callback, I got the following error show up in the Auth0 logs:
The SAML Request AssertionConsumerServiceURL had the following value: ‘Log in with Atlassian account’, but the valid URLs are: [confluence site URL]‘’
2
I think the problem may be with my SAML addon settings, according to these Atlassian instructions I should be mapping some attributes. But, at this point, I’m not sure what, if anything the Auth0 SAML Addon settings should be.
Edit:
Confirmed working as per the answer from “accounts3” (can’t upvote or mark it as answer, this website is pretty broken).
Also note that I set my “Identity provider Entity ID” value on the Confluence side to the “Issuer” value that Auth0 showns in the settings of the SAML Addon, i.e something like: “urn:[account name] .[region].auth0.com”.
It’s worth nothing that it’s still not a supported configuration by Atlassian. Just because it works today doesn’t mean they’re obliged to keep it working, or tell you how to fix your configuration if they change something.
Also worth nothing that there’s a bug on the Atlassian side that contributed heavily to my problems with getting this working. I originally got the Confluence integration working with OneLogin, because Atlassian support that as a SAML config. BUT, if you change your SAML provider, you need to delete and then recreate your SAML config on the Atlassian side - don’t just edit the details. When I debugged the SAML assertion, there was still some OneLogin information in the assertion data, instead of Auth0 information.