Can Auth0 work with Atlassian Cloud (Confluence)?

fluxsupport · February 21, 2018, 10:23pm

Didn’t find anything when searching the support site for Confluence or Atlassian.
As seen at this Atlassian support page, Atlassian Cloud now supports SSO via SAML.
According to that page, they support Bitium, OneLogin, Okta and Centrify. They mention upcoming support for Ping, but no mention of Auth0

Has anyone tried this before?

I tried looking to see if I could figure out, but I wasn’t even sure if I’m supposed to be adding a SAML addon to my client, or setting up a “SAMLP Identity Provider” enterprise connection.
I think I need to do a client addon, but I couldn’t figure out what’s supposed to go in the “Application Callback URL” - would that just be the root page of my Confluence site?

fluxsupport · February 21, 2018, 10:23pm

I tried to get it working, even raised a support request with Atlassian, but their response was pretty much a straight “No”:

Auth0 is not on our supported SAML providers list at the moment and we don’t have the internal solution to help on the integration

Below is an outline of the things I tried

On the Auth0 side:

created a new Auth0 client in my Auth0 account named “atlassian-cloud”
went into the settings, enabled the “SAML 2.0 web app” addon
set https://id.atlassian.com/login/saml/acs as the callback url 1
left the settings alone
- (I think this is wrong, see below 2)

On the Atlassian side:

have a verified domain
enabled SAML beta support
set the Identity provider Entity ID to urn:auth0:<my account name>:atlassian-cloud as per these Auth0 instructions
set the Identity provider SSO URL to https://<account anme>.au.auth0.com/samlp/<code> (from the Endpoint tab of the advanced settings of the Auth0 client)

This didn’t work - when trying to login to Confluence, it would redirect to Auth0 and I would login there successfully, but then when redirected back to the callback url at https://id.atlassian.com/login/saml/acs, I’d get an error from Atlassian, no further info.

1 I use that url as the SAML addon callback, because when I used the URL of my confluence site as the callback, I got the following error show up in the Auth0 logs:

The SAML Request AssertionConsumerServiceURL had the following value: ‘https://id.atlassian.com/login/saml/acs’, but the valid URLs are: [confluence site URL]’’

2
I think the problem may be with my SAML addon settings, according to these Atlassian instructions I should be mapping some attributes. But, at this point, I’m not sure what, if anything the Auth0 SAML Addon settings should be.

Edit:

Confirmed working as per the answer from “accounts3” (can’t upvote or mark it as answer, this website is pretty broken).

Also note that I set my “Identity provider Entity ID” value on the Confluence side to the “Issuer” value that Auth0 showns in the settings of the SAML Addon, i.e something like: “urn:[account name] .[region].auth0.com”.

It’s worth nothing that it’s still not a supported configuration by Atlassian. Just because it works today doesn’t mean they’re obliged to keep it working, or tell you how to fix your configuration if they change something.

Also worth nothing that there’s a bug on the Atlassian side that contributed heavily to my problems with getting this working. I originally got the Confluence integration working with OneLogin, because Atlassian support that as a SAML config. BUT, if you change your SAML provider, you need to delete and then recreate your SAML config on the Atlassian side - don’t just edit the details. When I debugged the SAML assertion, there was still some OneLogin information in the assertion data, instead of Auth0 information.

accounts3 · April 17, 2020, 6:50am

I got this to work with JIRA. I had to add a first_name and last_name app_metadata to each user (user’s name defaulted to an email and I couldn’t change it). The settings I used:

{
  "mappings": {
    "user_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
    "first_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
    "last_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
  },
  "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
  ],
  "nameIdentifierFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:email"
}

fluxsupport · February 21, 2018, 10:26pm

@accounts3 Was that JIRA on Atlassian Cloud or a locally installed server? Regardless, I will try out these Addon setting when I get some time.

Thanks.

accounts3 · February 21, 2018, 10:26pm

@fluxsupport it was an Atlassian Cloud instance of JIRA. It took me a couple hours to figure out. I may not need as many configs as I have, but it works and I don’t have the time to play around with it more. Hope it works out for you

system · March 2, 2018, 5:55am

amin · April 17, 2020, 6:50am

Step by step guide at https://dev.to/amin/atlassian-saml-sso-with-auth0-idp-2jg6

konrad.sopala · April 17, 2020, 6:50am

Thanks for sharing that @amin!

amin · July 1, 2020, 12:36am

Steps are also available in Auth0 docs now: https://auth0.com/docs/protocols/saml/saml-apps/atlassian

konrad.sopala · July 1, 2020, 11:41am

Thanks for the update!