SAML SSO for JSM Customers with Multiple IDP’s

Choose IDPs for Helpdesk integration

You can select a maximum of 3 IDPs

If you are looking for instructions on configuring Helpdesk SSO with a single IDP, please refer to this page instead.

You can now allow External Customers to login into Jira Service Management (previously Jira Service Desk or JSD) via SSO! SAML SSO for JSM Customers allows you to use your existing IDP to sign into Jira Service Management (Jira Service Desk or JSD) and it also supports multiple IDP's.

This guide will walk you through the process of configuring Jira Helpdesk with multiple identity providers. However, if you are looking for instructions on configuring Helpdesk SSO with a single IDP, please refer to this page instead.

Download And Installation

  • Log into your Jira instance as an admin.
  • Navigate to the settings and Click on Apps.
  • Locate SAML SSO for JSM Customers.
  • Click on free trial to begin a new trial SAML SSO for JSM Customers.
  • On menu bar click on Apps. Locate SAML SSO for JSM Customers to start configuring SSO for customers.

Step 1: Get metadata from miniOrange

  • Login to miniOrange Admin Dashboard
  • Go to Identity Providers and click on Add Identity Provider button from top right corner.
    • miniOrange add identity provider
  • Click on Click here link from the alert box.
    • miniOrange Get Metadata
  • Now, click on Show Metadata Details under FOR SP - INITIATED SSO heading. You can use the following metadata details to add an app inside your IDP.
    • miniOrange Metadata Details

Step 2: Configure IDP inside miniOrange

  • Login to miniOrange Admin Dashboard
  • From the left sidebar, expand Customization and click on Login and Registratin Branding.
  • Here you can change the Organization Name. This will change all your custom urls from login.xecurify.com to the organization-name.xecurify.com. For e.g. we have used name piedpipers, so our custom urls will be changed as piedpipers.xecurify.com
    • miniOrange change idp branding
  • Once you have changed the oraganization name and saved. you can see the changed urls under Custom Organization URLs section near Save button.
    • miniorange check custom urls
    Note : Changing the organization name is a mandatory step, and once you've made the change, you cannot revert back to login.xecurify.com. Therefore, it's crucial to choose your new organization name carefully. Additionally, it's important to note that you cannot use an organization name that is already being used by someone else.
  • Go to Identity Providers and click on Add Identity Provider button from top right corner.
    • miniOrange add identity provider
  • Enter the following details and click on Save button.
    • IDP Name Enter IDP name here.
    IDP Entity ID Enter IDP Entity ID / Issuer ID from the Identity Provider info.
    SAML SSO Login URL Enter Single Sign On url provided by Identity Provider.
    X.509 Certificate Enter the cetificate provided by Identity Provider.
    Please make sure that you enable the options Enable for EndUser Login and Show IdP to Users
  • Click on Save button.

Step 3: Configure Selected IDPs

Step 1: Setup ADFS as Identity Provider

      1. On ADFS, search for ADFS Management application.
        2. SAML Single Sign On (SSO) using ADFS Identity Provider, Management Application
      2. After opening the AD FS Management, select Relying Party Trust & then click on Add Relying Party Trust.
        3. SAML Single Sign On (SSO) using ADFS Identity Provider,Add Relying Party Trust
      3. Click the Start button from the Relying Party Trust Wizard pop up. But before that please make sure Claims Aware is selected.
        4. SAML Single Sign On (SSO) using ADFS Identity Provider,Claims Aware
      4. Select the options for adding a relying party trust.

          5. SAML Single Sign On (SSO) using ADFS Identity Provider Using Metadata URL

          • In Select Data Source: Import data about the relying party published online or on the local network option & then add URL in Federation metadata address.
            • SAML Single Sign On (SSO) using ADFS Identity Provider, Import metadata through URL
          • Skip step-5 to step-8 & start configuring from step-9. Navigate to Service Provider Info tab from the plugin for getting SP Meatadata URL.

          SAML Single Sign On (SSO) using ADFS Identity Provider Using Metadata XML file

          • In Select Data Source: Import data about the relying party from a file option & then browse the metadata file.
            • SAML Single Sign On (SSO) using ADFS Identity Provider, Import Metadata through XML file
          • Skip step-5 to step-8 & start configuring from step-9.

          SAML Single Sign On (SSO) using ADFS Identity Provider Using Manual configuration

          • In Select Data Source: Enter Data about the relying party manually & Click on Next.
            • SAML Single Sign On (SSO) using ADFS Identity Provider, Manual configuration of metadata
      5. Enter Display Name & Click Next.
      6. Upload the certificate & click next. Download the certificate from plugin & use the same certificate to upload on ADFS.
      7. Select Enable support for the SAML 2.0 WebSSO protocol & Enter ACS URL from the plugins Service Provider Info Tab. Click Next.
        8. SAML Single Sign On (SSO) using ADFS Identity Provider,support for the SAML 2.0 WebSSO protocol
      8. Add Entity ID from plugins Service Provider Info Tab as Relying party trust identifier then click Add button & then click Next.
        9. SAML Single Sign On (SSO) using ADFS Identity Provider, Relying party trust identifier
      9. Also download the Signing certificate from Service Provider Info Tab from the plugin.
      10. Select Permit everyone as an Access Control Policy & click on Next.
        11.  SAML Single Sign On (SSO) using ADFS Identity Provider, Access Control Policy
      11. Click the Next button from Ready to Add Trust & click Close.
      12. It will show you the list of Relying Party Trusts. Select the respective application & click on Edit Claim Issuance Policy.
        13. SAML Single Sign On (SSO) using ADFS Identity Provider, Edit Claim Issuance Policy
      13. Click on Add Rule button.
        14. SAML Single Sign On (SSO) using ADFS Identity Provider, add rule
      14. Select Send LDAP Attributes as Claims & click on Next.
        15. SAML Single Sign On (SSO) using ADFS Identity Provider, Send LDAP Attributes as Claims
      15. Enter the following details & click on Finish.
        16. Claim rule name: Attributes
        Attribute Store: Active Directory
        LDAP Attribute: E-Mail-Addresses
        Outgoing Claim Type: Name ID
        SAML Single Sign On (SSO) using ADFS Identity Provider, Add Transform claim rule wizard
      16. Click Apply Ok.
      17. Select property of the application & add the certificate downloaded from the add-on.
        18. SAML Single Sign On (SSO) using ADFS Identity Provider, Add certificate

Step 1: Setup Auth0 as Identity Provider

      Single Sign On(SSO) using Auth0, Auth0 SSO Login-1 1.1 Prerequisites:

        Ensure you have these values from the Service Provider Info tab of the SAML plugin:

        • SP Entity ID
        • ACS URL
        • Single Logout URL (to log users out from Auth0 when logged out from Atlassian)

      Single Sign On(SSO) using Auth0, Auth0 SSO Login-2 1.2 Instructions:

        • Log in to your Auth0 dashboard.
        • Navigate to Applications and click on Create Application.
          • SAML Single Sign On (SSO), Create Application option inside Auth0 dashboard
        • Next, assign a name to the application, choose Regular Web App, and click Create.
          • SAML Single Sign On (SSO), Create application dialog box for assigning app name and type before creation
        • In the Addons tab, enable the SAML2 option to configure it.
          • SAML Single Sign On (SSO), Addons section of the new app
        • Configure the Application Callback URL, Audience, Recipient, and other settings using the SP Entity ID and ACS URL from the SAML plugin.
          • SAML Single Sign On (SSO), Provision for configuring the SAML2 Web App
        • Once you’re done configuring the settings, scroll down and click Enable.
          • SAML Single Sign On (SSO), Option to enable the SAML2 Web App
        • Go to the Usage tab and download the Identity Provider Metadata XML file.
          • SAML Single Sign On (SSO), Auth0 provision for downloading Identity Provider Metadata

        Single Sign On(SSO) using Auth0, Auth0 SSO Login-2 1.3 Create User in Auth0:

          1. Navigate to Users & Roles → Users and click on Create User.
            2. SAML Single Sign On (SSO), Auth0 User Management section with provision for creating user
          2. Next, provide the email address and password for the new user and click Create.
            3. SAML Single Sign On (SSO), Provision for providing an email address and password to the new user

Step 1: Setup AuthAnvil as Identity Provider

    AuthAnvil SAML SSOPrerequisites:
    • Copy these values from the Service Provider Info tab of the SAML plugin.
          1. SP Entity ID
          2. ACS URL
    AuthAnvil SAML SSO Instructions:
      1. Login to Authanvil and Go to SSO Manager +(add icon) and select Custom Application.
        2. SAML Single Sign On (SSO) using AuthAnvil Identity Provider, Add new application
      2. Enter the Application Name.
        3. SAML Single Sign On (SSO) using AuthAnvil Identity Provider, App Configuration
      3. Go to Protocol Type and Enter following info:
        4. Protocol Type SP-INIT
        Assertion Consumer Service URL ACS URL copied from the plugin
        Allow Multiple Audiences Unchecked
        Identity issuer SP Entity ID copied from the plugin
        Service Entity ID SP Entity ID copied from the plugin

        SAML Single Sign On (SSO) using AuthAnvil Identity Provider, Application configuration
      4. Enter Advanced Settings.
        5. Include All Audience URIs Checked
        Sign Token Response Checked
        Sign Assertion Unchecked
        Signing Algorithm SHA1

        SAML Single Sign On (SSO) using AuthAnvil Identity Provider, Advanced Settings
      5. Go to Attribute Transformation Tab and select Specify custom attribute transform. Add the NameID attribute and click on Add. Then add the name attribute as given in the image.
        6. SAML Single Sign On (SSO) using AuthAnvil Identity Provider, Attribute Transformation
      6. Click on Add Application .
      7. Go to Permissions tab and add Groups to which you want to give access to this application.
        8. SAML Single Sign On (SSO) using AuthAnvil Identity Provider, Group Access
      8. Click on Save Changes.
      9. Open the app. Click on View Federation Metadata in Protocol Type Tab and save the generated metadata xml file. This metadata file will be required to configure the plugin.
        10. SAML Single Sign On (SSO) using AuthAnvil Identity Provider, View Federation Metadata

Step 1: Setup AWS as Identity Provider

    • Go to AWS, search for AWS Single Sign-On in AWS Services or click on this link.
    • After opening the AWS SSO Service, select Enable AWS SSO.
      • SAML Single Sign On(SSO) using AWS Identity Provider, Enable AWS SSO
    • Click on Create AWS Organisation .
      • SAML Single Sign On(SSO) using AWS Identity Provider,Create AWS Organisation
    • Click on Applications → Add a new application.
      • SAML Single Sign On(SSO) using AWS Identity Provider,Add Application
    • Select Add a custom SAML 2.0 application.
      • SAML Single Sign On(SSO) using AWS Identity Provider, Custom Application
    • Fill the Details of the application.
      • SAML Single Sign On(SSO) using AWS Identity Provider, Details of Application
    • Download AWS SSO SAML Metadata file as it will be required by Service Provider in step-2.
      • SAML Single Sign On(SSO) using AWS Identity Provider, Download Metadata file
    • Go to miniorange SAML Single Sign-On Plugin Service Provider Info tab Download Metadata and upload it to the AWS Application Metadata section or you can copy the SP Entity ID and ACS URL from the plugin and configure endpoints manually.
      • SAML Single Sign On(SSO) using AWS Identity Provider, AWS Metadata
    • Click on Save changes and your Demo Application has been configured.
    • Go to Attribute Mappings configure the various attributes (first name, last name and e-mail address) for the SAML response from the Attribute mappings tab as shown:
      • SAML Single Sign On(SSO) using AWS Identity Provider, Attributes
    • Go to your configured Demo Application → Assigned users and add the users. If you want to assign new users you can navigate to the left section and go to Users→ Add User and Enter the User details and click on Next:Groups and assign group to users.
      • SAML Single Sign On(SSO) using AWS Identity Provider, Add User
    • Your user has been successfully added.
      • SAML Single Sign On(SSO) using AWS Identity Provider, Added User

Step 1: Setup Microsoft Entra ID (Previously known as Azure AD) as Identity Provider

      Single Sign On using AzureAD, AzureAD SSO Login Prerequisites Prerequisites:

        Copy these values from the Service Provider Info tab of the Plugin .

        • SP Entity ID
        • ACS URL

      Single Sign On into AzureAD, AzureAD SSO Login Instructions Instructions:

      Note: Enterprise app configuration is the recommended option for SAML . If you do not have Azure subscription or using free account please setup App Registration Configuration.

      To perform Single Logout using Microsoft Entra ID (Previously known as Azure AD), the Atlassian instance (E.g. Jira,Confluence) must be https enabled.

Microsoft Entra ID setup through Enterprise Applications

    • Log in to Microsoft Entra ID (Previously known as Azure AD) Portal
    • Select ⇒ and Azure Active Directory ⇒ Enterprise Applications.
      • Single Sign On(SSO)using Microsoft Entra ID (Previously known as Azure AD), SAML SSO enterprise application
    • Click on Create your own application. Then enter the name for your app, select the Integrate any other application you don't find in the gallery checkbox and click on Create button
      • Single Sign On(SSO)using Microsoft Entra ID (Previously known as Azure AD), Entra ID SAML SSO new application
    • Click on Set up Single sign-on.
      • Single Sign On(SSO)using Microsoft Entra ID (Previously known as Azure AD),Microsoft Entra ID (Previously known as Azure AD) SAML SSO - set up single sign on
    • The next screen presents the options for configuring single sign-on. Click on SAML.
      • Single Sign On(SSO)using Microsoft Entra ID (Previously known as Azure AD), Entra ID SAML SSO select saml
    • Edit the option 1 :Basic SAML Configuration to configure plugin endpoints.
    • Enter the SP Entity ID for Identifier and the ACS URL for Reply URL from Service Provider Info tab of the plugin.
      • Single Sign On(SSO)using Microsoft Entra ID (Previously known as Azure AD), Entra ID SAML configuration
    • Click on Save icon.
      • Single Sign On(SSO)using Microsoft Entra ID (Previously known as Azure AD), SSO save window
    • By default, the following Attributes will be sent in the SAML token. You can view or edit the claims sent in the SAML token to the application under the User Attributes & Claims tab.
    • You can add attribute using Add new claim
      • Single Sign On(SSO)using Microsoft Entra ID (Previously known as Azure AD), user attributes claims
    • You can add group attribute claim using Add a group claim
      • Single Sign On(SSO)using Microsoft Entra ID (Previously known as Azure AD), add a group claim
    • Copy App Federation Metadata Url from setup tab.
      • Single Sign On(SSO)using Microsoft Entra ID (Previously known as Azure AD),federation metadata URL
    • Click on User and groups from the applications left-hand navigation menu. The next screen presents the options for assigning the users/groups to the application.
      • Single Sign On(SSO)using Microsoft Entra ID (Previously known as Azure AD), user and groups

Microsoft Entra ID setup through App Registrations

    • Log in to Microsoft Entra ID (Previously known as Azure AD) Portal
    • Select Azure Active Directory ⇒ App Registrations. Click on New Application Registration.
      • Single Sign On(SSO)using Microsoft Entra ID (Previously known as Azure AD), New app
    • Assign a Name and choose the account type. In the Redirect URI field, provide the ACS URL provided in Service Provider Info tab of the plugin and click on Register button.
      • Single Sign On(SSO)using Microsoft Entra ID (Previously known as Azure AD), app registration
    • Now, navigate to Expose an API menu option and click the Set button and replace the APPLICATION ID URI with the plugin's SP Entity ID
      • Single Sign On(SSO)using Microsoft Entra ID (Previously known as Azure AD), expose an API
    • By default, some Attributes will be sent in the SAML token. If you're not getting group information. Then, add Token configuration for Group information.
      • Single Sign On(SSO)using Microsoft Entra ID (Previously known as Azure AD), token configuration
    • Click on Add groups claim
      • Single Sign On(SSO)using Microsoft Entra ID (Previously known as Azure AD), Add groups claim
    • Copy the Federation Metadata URL given below. Replace the '{tenant_ID}' part with your Directory/Tenant ID. This will be required while configuring the SAML plugin.
      Federation Metadata URL https://login.microsoftonline.com/{tenant_ID}/federationmetadata/2007-06/federationmetadata.xml

Step 1: Setup Azure AD B2C as Identity Provider

Follow the steps below to configure Azure AD B2C as an Identity Provider

SAML Single Sign On (SSO) using Azure AD B2C Identity Provider,Azure AD B2C SSO Login Register the IdentityExperienceFramework application

    • From the Azure AD B2C tenant, select App registrations, and then select New registration.
      • SAML Single Sign-On (SSO) using Azure B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C Identity Experience FrameWork
    • For Name, enter IdentityExperienceFramework.
    • Under Supported account types, select Accounts in this organizational directory only.
      • SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C Register an Application
    • Under Redirect URI, select Web, and then enter https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com where your-tenant-name is your Azure AD B2C tenant domain name.
    • Under Permissions, select the Grant admin consent to openid and offline_access permissions check box. Now, Select Register.
      • SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C, Redirect URL
    • Record the Application (client) ID for use in a later step.
      • SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C, Application Client ID
    • To Expose the API add a scope under Manage, select Expose an API.
    • Select Add a scope, then select Save and continue to accept the default application ID URI.
      • SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C, Expose an api
    • Enter the following values to create a scope that allows custom policy execution in your Azure AD B2C tenant:
      • Scope name user_impersonation
      Admin consent display name Access IdentityExperienceFramework
      Admin consent description Allow the application to access IdentityExperienceFramework on behalf of the signed-in user
    • Select Add scope and State:Enabled
      • SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C, custom scopes

SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C, SP initiated SSO Register the ProxyIdentityExperienceFramework application

    • Select App registrations, and then select New registration.
    • For Name, enter ProxyIdentityExperienceFramework.
    • Under Supported account types, select Accounts in this organizational directory only.
      • SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C, Original Directory
    • Under Redirect URI, use the drop-down to select Public client/native (mobile & desktop).
    • For Redirect URI, enter myapp://auth.
    • Under Permissions, select the Grant admin consent to openid and offline_access permissions check box and select Register.
      • SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C, Register
    • Record the Application (client) ID for use in a later step.
      • SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C, application proxy
    • Next, specify that the application should be treated as a public client. Under Manage, select Authentication.
    • Under Advanced settings, enable Allow public client flows (select Yes).Select Save.
      • SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C, proxy authentication
    • Now, grant permissions to the API scope you exposed earlier in the IdentityExperienceFramework registration. Under Manage, select API permissions.
    • Under Configured permissions, select Add a permission.
      • SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure B2C, authentication
    • Select the My APIs tab, then select the IdentityExperienceFramework application.
      • SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C, API permissions
    • Under Permission, select the user_impersonation scope that you defined earlier.
    • Select Add permissions. As directed, wait a few minutes before proceeding to the next step.
      • SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C, My APIs
    • Select Grant admin consent for (your tenant name).
      • SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C, Grant Admin
    • Select your currently signed-in administrator account, or sign in with an account in your Azure AD B2C tenant that's been assigned at least the Cloud application administrator role. Select Accept.
    • Now Refresh, and then verify that "Granted for ..." appears under Status for the scopes: offline_access, openid and user_impersonation. It might take a few minutes for the permissions to propagate.
      • SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C,Status of admin access

SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C, sso login Register the SAML Application

    • Select App registrations, and then select New registration.
    • Enter a Name for the application Eg:SAML_APP.
    • Under Supported account types, select Accounts in any identity provider or organizational directory (for authenticating users with user flows).
      • SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C, Supported account types
    • Under Redirect URI, select Web, and then enter the ACS URL as {application_base_url}/plugins/servlet/saml/auth from the Service Provider Information tab of the miniOrange SAML SSO plugin. Select Register.
      • SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C,SAML Application Register
    • Under Manage, click on Expose an API.
    • Click on Set for the Application ID URI and then click on Save, accepting the default value.
      • SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C,WP-app Expose a sso login
    • Once saved, copy the Application ID URI and navigate to the Service Provider Information tab of the plugin.Paste the copied value under the SP Entity ID field provided in this tab. Click on Save.
      • SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C, custom login page

SAML Single Sign On (SSO) using Azure AD B2C Identity Provider,Azure AD B2C SSO Login Generate SSO Policies

    • From our Azure AD B2C portal, navigate to the Overview section of your B2C tenant and record your tenant name.
      NOTE: If your B2C domain is demo.onmicrosoft.com, then your tenant name is demo.
      • SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C, B2C tenant ID Reco
    • Enter your Azure B2C tenant name below, along with the application ID for IdentityExperienceFramework and ProxyIdentityExperienceFramework apps as registered in the above steps.
      • Azure B2C tenant Name:
      IdentityExperienceFramework app ID:
      ProxyIdentityExperienceFramework app ID:

    • Click on the Generate B2C Policies button to download the SSO policies.
    • Extract the downloaded zip file. It contains the policy files and certificate (.pfx), which you will require in the following steps.

SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C,certificate Upload the Certificate

    • Sign in to the Azure portal and browse to your Azure AD B2C tenant.
      • SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C, framework
    • Under Policies, select Identity Experience Framework and then Policy keys.
      • SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure B2C,Policy keys
    • Select Add, and then select Options > Upload
    • Enter the Name as SamlIdpCert. The prefix B2C_1A_ is automatically added to the name of your key.
      • SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C, Create a Key
    • Using the upload file control, upload your certificate that was generated in the above steps along with the SSO policies (tenantname-cert.pfx).
    • Enter the certificate's password as your tenant name and click on Create.
      For example, if your tenant name is demo.onmicrosoft.com, enter the password as demo.
    • You should be able to see a new policy key with the name B2C_1A_SamlIdpCert.

SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C, sp initiated sso sso-29 Create the signing key

    • On the overview page of your Azure AD B2C tenant, under Policies, select Identity Experience Framework.
    • Select Policy Keys and then select Add.
    • For Options, choose Generate.
    • In Name, enter TokenSigningKeyContainer. For Key type, select RSA.
    • For Key usage, select Signature. Now, Select Create.
      • SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C,Create the signing key

SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C,sp initiated sso sso-31 Create the encryption key

    • Follow the first three steps, used to create signing key.
    • For Name, enter TokenEncryptionKeyContainer. For Key type, select RSA.
    • For Key usage, select Encryption. Now, Select Create.
      • SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C,Create the encryption key

SAML Single Sign On (SSO) using Azure AD B2C Identity Provider,Azure AD B2C SSO Login Upload the Policies

    • Select the Identity Experience Framework menu item in your B2C tenant in the Azure portal.
      • SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C, Upload the Policies
    • Select Upload custom policy.
      • SAML Single Sign-On (SSO) using Azure AD B2C as Identity Provider (IdP),for SAML 2.0 Azure AD B2C identity experience framework
    • As per the following order, upload the policy files downloaded in the above steps:
      • 1 TrustFrameworkBase.xml
      2 TrustFrameworkExtensions.xml
      3 SignUpOrSignin.xml
      4 ProfileEdit.xml
      5 PasswordReset.xml
      6 SignUpOrSigninSAML.xml
    • As you upload the files, Azure adds the prefix B2C_1A_ to each.

      • Note: For next step, Use IDP Metadata URL as:
      https://tenant-name.b2clogin.com/tenant-name.onmicrosoft.com/B2C_1A_signup_signin_saml/Samlp/metadata.

Step 1. Setup Bitium as Identity Provider

      Follow these steps to configure Bitium as an Identity Provider using SAML 2.0 Single Sign On protocol.

    • Login as an administrator in Bitium
    • Once you have logged into your Bitium Admin portal, click on the Manage "your organization"
    • Click on Manage Apps
    • In the top right corner, click on Add More Apps. You'll see a search box, so search for ?custom_app? and add the app to your Bitium account.
    • Click Single Sign-On tab and select SAML Authentication.
    • Copy over into the following information for configuring the add-on:
        1) Entity ID
        2) Login URL
        3) Logout URL
        4) X.509 Certificate
        5) Metadata URL
    • Paste information from SP Info tab in the plugin into Bitium
    • Click Save in the application provider
    • Click Save Changes in Bitium

Step 1. Setup Bitium as Identity Provider

      Follow these steps to configure Bitium as an Identity Provider using SAML 2.0 Single Sign On protocol.

    • Login as an administrator in Bitium
    • Once you have logged into your Bitium Admin portal, click on the Manage "your organization"
    • Click on Manage Apps
    • In the top right corner, click on Add More Apps. You'll see a search box, so search for ?custom_app? and add the app to your Bitium account.
    • Click Single Sign-On tab and select SAML Authentication.
    • Copy over into the following information for configuring the add-on:
        1) Entity ID
        2) Login URL
        3) Logout URL
        4) X.509 Certificate
        5) Metadata URL
    • Paste information from SP Info tab in the plugin into Bitium
    • Click Save in the application provider
    • Click Save Changes in Bitium

Step 1: Setup CA Identity Manager as Identity Provider

      Follow the steps below to configure CA Identity Manager as an Identity Provider.

      Single Sign on Using CA Identity,CA Identity SSO Login, Pre-Requisites Pre-requisite:

          To configure CA Identity Manager as IDP, you need the metadata from SSO plugin.

        • Go to the Service Provider Info tab .
        • Click on the link https://[application-Domain]/plugins/servlet/saml/metadata.
        • choose Save As to save data in XML format on your system.

      CA Identity SSO, Administrator Login  Login as Administrator

        • Log in to your CA Identity service portal with the administrator account. You're going to be sent to the launchpad.
          • Single Sign on Using CA Identity,CA Identity SSO Login, Launchpad
        • Go to Apps and click on add an app.
          • Single Sign on Using CA Identity,CA Identity SSO Login, Add new app
        • Scroll down in the Add App popup window and click Create a SSO app
        • Fill out the information in each of the steps as given below.

        Enable SSO for Your App Using SAML

        • In Display Name, enter the name of your app and click Continue.
          • Single Sign on Using CA Identity,CA Identity SSO Login, Enable SSO, Enter name for app

        Identity Provider Information

        • Download IDP Metadata or you can copy the SP Entity ID and ACS URL from the plugin. This is necessary to configure the add-on later. Click on Continue.
          • Single Sign on Using CA Identity,CA Identity SSO Login, Download IDP Metadata

      Single Sign on Using CA Identity,CA Identity SSO Login  Service Provider Information

          Single Sign on Using CA Identity,CA Identity SSO Login, Provide Service Provider Metadata
        • Upload SP metadata to Upload SP metadata and click Continue.
        • You can also manually enter data. The data can be found in the add- on's SP Info tab.
          • Information to be entered in CA Information to copy from the add-on
          Assertion Consumer Service URL ACS URL
          Relay State -
          Entity ID SP Entity ID
          NameID Format Email Address
          Binding POST
          Requests Signed Yes
          Certificate Download the certificate provided in SP Info tab and upload it here

        Attribute Mapping

        • Fill Attribute Mapping as per your requirement. Set Type against NameID to User Attribute and set Value as User Name or Primary Email. These attributes are used to create user in the SP.
        • Click on Continue and click Finish .
          • SAML Single Sign On (SSO) using CA Identity CA Identity SSO Login, Attribute mapping

      Single Sign On (SSO) using CA Identity CA Identity SSO Login,   Create a Rule

        • You’ll be redirected to app Dashboard. Go to Rules. A Rule defines who has the access to app. Click on add rule.
        • Enter the rule name. Click on Add Filter and select on which basis you want to assign app. You can select a department, type or title. You can add more filters according to your need. Click Continue.
        • Select the SP app you setup in Then they should have. Click Continue.
        • You can test the app by selecting a person from that department. Click Finish
          • Single Sign On (SSO) using CA Identity CA Identity SSO Login, Add new rule

Step 1: Setup Centrify as Identity Provider

Follow the steps below to configure Centrify as an Identity Provider

    Single Sign On (SSO) using Centrify, Centrify SSO Login  Create SAML App

    • Log into Centrify as an Administrator and click on Apps on the sidebar. Then Click on Web Apps.
    • Click on the Add Web Apps button next to the search bar.
      • Single Sign On (SSO) using Centrify, Centrify SSO Login, Add web apps
    • Then select the Custom tab. Search for SAML and click on the Add button. Now press Yes to confirm.
      • Single Sign On (SSO) using Centrify, Centrify SSO Login, add custom app

    Single Sign On (SSO) using Centrify, Centrify SSO Login  Configure SAML App

    • When you create a web app, it will be listed in the Web Apps tab. Click on the newly created web app to configure.
      • Single Sign On (SSO) using Centrify, Centrify SSO Login, Web Apps dashboard
    • The name and description of the web app can be updated from this settings tab.
      • Single Sign On (SSO) using Centrify, Centrify SSO Login, Web App settings
    • Select the Trust tab from the sidebar. Trust tab will have metadata details for the configuration. Copy the metadata URL and save it for configuration with miniOrange.
      • Single Sign On (SSO) using Centrify, Centrify SSO Login, Web Apps Metadata Details
    • Now scroll down until you see the Service Provider Configuration. Here you can configure the SP metadata either using the URL or manual configuration.
      • Single Sign On (SSO) using Centrify, Centrify SSO Login, Metadata Manual Configuration Single Sign On (SSO) using Centrify, Centrify SSO Login, Centrify Metadata Configuration
    • Enter the configuration details and click on SAVE.
    • Click on the SAML Response tab from the left sidebar.
    • Here, you can map attributes from your source directory to SAML attributes that will be returned with the response.
    • Also, Centrify provides a script editor under the custom logic section in the SAML Response tab to add more complex logic to map attributes.
      • Single Sign On (SSO) using Centrify, Centrify SSO Login, SAML Response
    • You will have to add below functions to the code -
      • setAudience() SP-EntityID / Issuer from Step 1 of the plugin under the SP Info Tab. E.g: setAudience('https://example.com')
      setRecipient() Recipient URL from Step 1 of the plugin under the SP Info Tab. E.g: setRecipient('https://example.com/plugins/servlet/saml/auth')
      sethttpsDestination() Destination URL from Step 1 of the plugin, under the SP Info Tab. E.g: sethttpsDestination('https://example.com/plugins/servlet/saml/auth')
      NOTE: Please do NOT change any other function calls.
    • From the left sidebar, select Permissions.
    • Click on the Add button. The Select User, Group, or Role dialog will appear.
    • Select the users, groups, or roles that will be accessing this web app. The role rules will be displayed on the User Access card.
    • Click on the Save button.
      • Single Sign On (SSO) using Centrify, Centrify SSO Login, Centrify Web Apps Permissions

Step 1: Setup DUO as Identity Provider

Follow the steps below to configure Duo as an Identity Provider.

    SAML Single Sign On (SSO) using DUO Identity Provider,DUO SSO login, DUO Single Sign On Create your Application in DUO

    • Login to your Duo Admin Panel instance.
    • Navigate to Applications and Click on the Protect an Application.
      • SAML Single Sign On (SSO) using DUO Identity Provider,DUO SSO login, Add Application
    • Locate the entry for your Atlassian app (like Jira, Confluence or Generic Service Provider), with a protection type of "2FA with SSO self-hosted (Duo Access Gateway)" in the Applications list and click on the Protect.
      • SAML Single Sign On (SSO) using DUO Identity Provider, DUO SSO login, Duo Application
    • Enter the Domain name of your app environment. For example, if your Jira login URL is https://yourdomain.com then enter yourdomain.com in this field.
      • SAML Single Sign On (SSO) using DUO Identity Provider,DUO SSO login, Configure App
    • Standarly Duo maps sAMAccountName, but if you want to use a non-standard username attribute for your authentication source, check the Custom attributes box and enter the name of the attribute you wish to use instead.
    • And click on the Save Configuration button.
    • Now click the Download your configuration file link to obtain the Application settings details (as a JSON file).

    SAML Single Sign On (SSO) using DUO Identity Provider,DUO SSO Add your SSO Application to Duo Access Gateway

    • Go to the Applications page of the DAG admin console session.
    • Click on the Choose File button in the "Add Application" section of the page. Locate and upload Application JSON file you downloaded from the Duo Admin Panel earlier.
      • SAML Single Sign On (SSO) using DUO Identity Provider,DUO SSO login, Configure Duo Acess Gateway
    • And your Application will be added.

Step 1: Set Up Google Apps/GSuite as Identity Provider

      Follow these steps to set up Google Apps/GSuite as an Identity Provider:


      Single Sign On using Google Apps/G-Suite, Google Apps/G-Suite SSO Login  1.1 Login as Administrator

        • Go to Google Admin Console and log in with your G Suite administrator account.
        • Navigate to the Apps tab in the left menu and click on Web and mobile apps.
          • Web and mobile apps tab inside Google Admin Console
      Single Sign On using Google Apps/G-Suite, Google Apps/G-Suite SSO Login  1.2 Add a SAML app

        • Click on the Add App, then select Add Custom SAML app from the dropdown to create a new SAML app.
          • Option to add a custom SAML app in Google Admin Console
        • Enter the details for your custom SAML app and click Continue.
          • App details tab inside the Add Custom SAML app wizard
      Single Sign On using Google Apps/G-Suite, Google Apps/G-Suite SSO Login  1.3 IDP Information

        • On the next screen, click on Download Metadata to retrieve data needed to configure your Service Provider.
          • Option to retrieve IDP information
        • Alternatively, you can copy GSuite details like SSO URL, Entity ID and Certificate to configure the Service Provider manually.
          • Google Admin Console details to configure the Service Provider manually
        • Click Continue once you’re done.
      Single Sign On using Google Apps/G-Suite, Google Apps/G-Suite SSO Login  1.4 Service Provider Details

        • Enter details from the Service Provider Metadata tab in the SAML SP plugin.
          • ACS URL Copy and paste the ACS URL from the plugin.
          Entity ID Copy and paste the SP Entity ID/ Issuer from the plugin.
          Signed Response Check Signed Response
          Name ID Format EMAIL
        • Click Continue once you’re done entering the details.
          • Google Apps SSO Login, Service provider details
      Single Sign On into Google Apps/G-Suite, Google Apps/G-Suite SSO Login  1.5 Attribute Mapping

        • Click on Add Mapping to add and select user fields in Google Directory.
          • Provision for attribute mapping in Google Admin Console
        • Next, map them to Service Provider attributes and click Finish once done.
          • Google Admin Console user and group attribute mapping options
      Single Sign On using Google Apps/G-Suite, Google Apps/G-Suite SSO Login  1.6 Turn On SSO

        • Go to SAML Apps again and click on OFF for everyone .
          • SAML App's user access option
        • Then, select ON for everyone to activate SSO.
          • SAML App's service status with ON for everyone option enabled
        • Note: After activating SSO, you can specify which users it applies to. For instance, if you choose organizational units, all users within that unit will be required to use SSO to access G Suite Apps. Likewise, you can choose to enforce SSO for specific groups or all users in the account.

Step 1: Setup miniOrange as Identity Provider

      Single Sign On using miniorange, miniorange SSO Login  Creating App in miniOrange

        • Go to miniOrange Admin console https://login.xecurify.com/moas/login and login with your miniOrange credentials.
        • From the left menu, go to Apps.
          • miniOrange-SAML-SSO-Manage-Apps
        • Click on Add Applicaton button.
          • miniOrange-SAML-SSO-Add-Application
        • In Choose Application Type click on Create App button in SAML/WS-FED application type.
          • miniOrange-SAML-SSO-Search-Application-Name
        • In the next step, search for your application from the list, if your application is not found. Search for "custom" and you can set up your app via Custom SAML App.
        • Method 1: Manual Configuration
          • Enter the following the textboxes:
            • Custom Application Name App name you like to provide.
            SP Entity ID or Issuer Enter SP Entity ID / Issuer from Service Provider Info tab of the plugin
            ACS URL Enter ACS (Assertion Consumer Service) URL from Service Provider Info tab of the plugin
            Single Logout URL Enter Single Logout URL from Service Provider Info tab of the plugin
        • Method 2: Import SP Metadata:
          • You can also import SP metadata to configure your app.
          • Click on Import SP Metadata button.
          • Enter your Custom Application Name in App Name text box.
          • Upload plugin metadata in form of text, File or URL and Click Import.
            • SAML Single Sign On (SSO) using miniOrange Identity Provider, miniorange SSO Login,Import SP Metadata using URL, Text or File
        • Name ID Setup And Attribute Mapping :
          • Enter the attribute name with which you want to log in your application in NameID field.. eg.Username, Email etc.
          • Enter name ID format such as emailAddress, nameid etc. in Name ID Format.
          • Attributes can be mapped using Add Attribute tab.
          • Add attributes such as first name, last name, group Name, etc.with its corresponding value as per shown in image.
          • Multiple attributes can be added using icon
            • SAML Single Sign On (SSO) using miniOrange Identity Provider, miniorange SSO Login, Attribute Mapping
        • Select Default from the Group Name dropdown.
        • Enter Policy Name you would like to provide.
        • Select Password from the Login Method Dropdown.
        • Click on Save to add the App.
          • SAML Single Sign On (SSO) using miniOrange Identity Provider, miniorange SSO Login, Add policy for SP application
        • Navigate to Apps Manage Apps.
        • Click on the metadata link against your app.
        • Download the Metadata XML File or note down the given information and keep it handy to configure the add-on.
        • You can also provide Metadata URL in plugin settings.
          • SAML Single Sign On (SSO) using miniOrange Identity Provider, miniorange SSO Login, Download IDP Metadata

Step 1: Configuring the Identity Provider

With the plugin installed, you can move on to setting up Okta as an IDP.

SAML Single Sign On (SSO) using Okta Identity Provider,Okta SSO Login 1.1: Okta IDP Configuration

    Follow the steps provided below:

    • Log into Okta Admin Console.
      • SAML Single Sign On (SSO) using Okta Identity Provider, Okta SSO Login,Add New Application into Okta
    • For developer account, switch to Classic UI to configure app.
    • In the left hand menu, go to Applications → Applications and then click on Create App Integration.
      • SAML Single Sign On (SSO) using Okta Identity Provider, Okta SSO Login,Add New Application into Okta
    • Select SAML 2.0 as Sign on method and click Next.
      • SAML Single Sign On (SSO) using Okta Identity Provider, Okta SSO Login,Add New Application into Okta
    • In General Settings, enter the app name and click on Next.
      • SAML Single Sign On (SSO) using Okta Identity Provider, Okta SSO Login,Create New SAML 2.0 Application
    • Set up SAML parameters in the Configure SAML tab. You will find all the required information inside the SP Information tab of your plugin. The table below will help you map the right data to the fields.
      • Single Sign On URL Enter ACS (Assertion Consumer Service) URL from the Service Provider info tab of the plugin.
      Audience URI (SP Entity ID) Enter SP Entity ID/Issuer from the Service Provider info (or SP Information) tab of the module.
      Default Relay State Enter Relay State from the Service Provider info tab of the module.
      Name ID Format Select EmailAddress as the Name ID Format from the dropdown list.
      Application Username Set Application Username to Okta username.
      SAML Single Sign On (SSO) using Okta Identity Provider,Okta SSO Login, Attribute And Group Mapping
    • Next, scroll down inside the Configure SAML tab and fill out Attribute Statements and Group Attribute Statements (this step is optional).
      • SAML Single Sign On (SSO) using Okta Identity Provider,Okta SSO Login, Attribute And Group Mapping
    • Here’s how you can populate these fields:

        • a.   For Name, enter "firstName" and select user.firstName from the value dropdown.


        b.   For Name, enter "lastName" and select user.lastName from the value dropdown.


        c.   For Name, enter "Email" and select user.email from the value dropdown.


        d.   Under Group Attribute Statements, enter "groups" for Name and select Matches regex from the Filter dropdown and enter ".*" in the adjacent textbox.


SAML Single Sign On (SSO) using Okta Identity Provider, Okta SSO Login, 1.2: Assigning Groups/People

  • After creating and configuring the app, you will be redirected to the Assignment Tab in Okta.
    • SAML Single Sign On (SSO) using Okta Identity Provider,Okta SSO Login, Attribute And Group Mapping
  • Here, select the people and groups that you want to be able to log in through the app. You can do this by clicking Assign and selecting Assign to People to give access to specific people.
    • SAML Single Sign On (SSO) using Okta Identity Provider,Okta SSO Login, Assign App to People and Groups
  • You can also select Assign to Groups to give access to a specific group.
    • SAML Single Sign On (SSO) using Okta Identity Provider,Okta SSO Login, Attribute And Group Mapping
  • Once you’re done assigning people and groups to your app, go to the Sign On tab.
  • Here, click on View Setup Instructions to get the SAML Login URL (Single Sign on URL), Single Logout URL, IDP Entity ID, and X.509 Certificate. You will need these to configure the Service Provider.
    • SAML Single Sign On (SSO) using Okta Identity Provider, Okta SSO Login,IDP Metadata Link

SAML Single Sign On (SSO) using Okta Identity Provider, Okta SSO Login, 1.3: Fetching Metadata URL

    One important component you’ll require while setting up your service provider is the metadata URL of your Identity Provider.

    You can follow these steps to find the metadata URL for your Okta Application:

    • Log into your Okta Admin Console
    • Navigate to Applications → [Your Application Name] → Sign On
    • You will find the metadata URL under the Metadata details section.
      • SAML Single Sign On (SSO) using Okta Identity Provider,Okta SSO Login, Assign App to People and Groups
    • You can either leave this window open in another tab or copy and paste the URL to a note while setting up the service provider.

Step 1: Setup OneLogin as Identity Provider

      Follow the steps below to configure OneLogin as an Identity Provider

      SAML Single Sign On (SSO) using Onelogin Identity Provider,Onelogin SSO login  Configuring OneLogin as IdP

        • Go to https:// <your_domain>.onelogin.com and login into OneLogin.
        • Log into OneLogin as an Administrator and go to Apps Company Apps Add Apps from the Navbar.
          • SSAML Single Sign On (SSO) using Onelogin Identity Provider,Onelogin SSO login, Add Application button
        • In the search box, type SAML Test Connector (Advanced) and click on the App to add it.
          • SAML Single Sign On (SSO) using Onelogin Identity Provider,Onelogin SSO login, Find SAML Application
        • Enter the display name and click Save.
        • In Info enter App Name and click on Next.
        • After saving, go to Configuration Tab and enter the following:
          • SAML Single Sign On (SSO) using Onelogin Identity Provider,Onelogin SSO login, Fill SP Application Details
          Audience Audience URI from plugin under Service Provider info Tab.
          Recipient Recipient URL from plugin under Service Provider info Tab.
          ACS (Consumer) URL Validator ACS (Assertion Consumer Service) URL from plugin under Service Provider info Tab.
          ACS (Consumer) URL ACS (Assertion Consumer Service) URL from plugin under Service Provider info Tab.
          Single Logout URL Enter Single Logout URL from the Service Provider info tab of the module.

      SAML Single Sign On (SSO) using Onelogin Identity Provider,Onelogin SSO login  Assigning Groups/People

        • Go to SSO tab. Note down the URL/Endpoints. These will be required while configuring the plugin.
          • SAML Single Sign On (SSO) using Onelogin Identity Provider,Onelogin SSO login, Enable SAML 2.0 for Application SAML Single Sign On (SSO) using Onelogin Identity Provider,Onelogin SSO login, Configure Application Certificate

      SAML Single Sign On (SSO) using Onelogin Identity Provider,Onelogin SSO login  Import IDP Metadata

        • Select SAML metadata options from More Actions dropdown list.
        • Download this metadata or Copy the URL and provide it in plugin settings.
        • You can also copy the URL's from SSO tab
          • SAML Single Sign On (SSO) using Onelogin Identity Provider,Onelogin SSO login
        • Save all the Settings.

Step 1: Setup OpenAM as Identity Provider

All the information required to configure in the OpenAM i.e. plugin’s metadata is given in the Service Provider Info tab of the miniOrange plugin.


SAML Single Sign On (SSO) using OpenAM Identity Provider,OpenAM SSO Login  Create OpenAM as a Hosted Identity Provider

Note: – You can skip this step and navigate to Configure Remote Service Provider if you have already configured OpenAM hosted IDP.

    • Login to the OpenAM admin console.
    • From the REALMS, select realms, under which you want to create hosted IDP. You will be redirected to the Realm overview page.
    • Click on Create SAMLv2 Providers in the Realm Overview page.

      SAML Single Sign On (SSO) using OpenAM Identity Provider, Select Identity Provider Profile
    • Click on Create Hosted Identity Provider. You will be redirected to the configuration page.

      SAML Single Sign On (SSO) using OpenAM Identity Provider, Register IDP
    • Configure IDP as given below.

      • Name: Name of the IDP
      • Signing Key: Select the signing key from the dropdown.
      • New Circle of Trust: Provide a name of the groups of IDP and SP that trust each other.
      • Attribute Mapping: Configure user profile attributes to be sent to the Service Provider application.

        SAML Single Sign On (SSO) using OpenAM Identity Provider, Configure Identity Provider
      • Click on the Configure button on the top right corner.
      • Verify the configuration from the Federation tab of OpenAM.
    SAML Single Sign On (SSO) using OpenAM Identity Provider,OpenAM SSO Login  Configure Remote Service Provider.

      • Login to the OpenAM admin console.
      • From the REALMS, select realms, under which you want to configure your application. You will be redirected to the Realm overview page.
      • Click on Create SAMLv2 Providers.

        SAML Single Sign On (SSO) using OpenAM Identity Provider, Select Service Provider Profile
      • Click on Register Remote Service Provider. You will be redirected to the configuration page.

        SAML Single Sign On (SSO) using OpenAM Identity Provider, Register SAML Service Provider
      • Configure the Service Provider as given below.

        • Where does the metadata file reside: URL.
        • URL of metadata: Configure miniOrange plugin's metadata here.
        • Circle of Trust: Add to existing.
        • Existing Circle of Trust: Select the Circle of Trust (group) in which your hosted IDP is located.
        • Attribute Mapping: Configure user profile attributes for mapping.

          SAML Single Sign On (SSO) using OpenAM Identity Provider, Configure Service Provider details
      • Click on the Configure button on the top right corner.
      • Verify the configuration from the Federation tab of OpenAM.
      • Provide OpenAM SAML metadata to Service Provider application(miniOrange SAML plugin).
      • You can download the OpenAM metadata using the URL given below.
        [OpenAM ServerURL]/saml2/jsp/exportmetadata.jsp
      • In case if you have multiple realms and hosted identity Provider configured then use the URL given below.
        [OpenAM ServerURL]/saml2/jsp/exportmetadata.jsp?entityid=[IdPentityID]&realm=/realmname

Step 1: Setup Oracle Identity Cloud Service (IDCS) as Identity Provider

Follow the steps below to configure Oracle Identity Cloud Service (IDCS) as an Identity Provider (IDP).

SAML Single Sign On (SSO) using Oracle Identity Cloud Service, Oracle Cloud SSO login  Configuring Oracle Identity Cloud Service (IDCS) as IdP

  • Access the Oracle Identity Cloud Service (IDCS) administration console, select Applications, and then click Add
  • Click on SAML Application
    • SAML Single Sign On (SSO) using Oracle Identity Cloud Service, Add Application
  • Enter the name of your Application and select Display in My Apps option under Display Settings section. And then click on the Next button.
    • SAML Single Sign On (SSO) using Oracle Identity Cloud Service), Configure App
  • In SSO Configuration, enter the following:
    • Entity ID Enter SP Entity ID / Issuer from the Service Provider Metadata tab of the module.
    Assertion Consumer URL Enter ACS URL from the Service Provider Metadata tab of the module.
    NameID Format Select Email address as a NameID Format from dropdown list.
    NameID Value Select Primary Email as a NameID Value from dropdown list.
    Signing Certificate Download certificate from Service Provider Metadata tab of the module.
    SAML Single Sign On (SSO) using Oracle Identity Cloud Service, SSO Configuration
  • Click on the Finish button to save the configuration.
  • Configure Attribute Configuration under SSO Configuration Tab (Optional).
  • For example, enter the name of attribute as "firstName" and select Basic from the Format dropdown, select User Attribute from Type dropdown, select User Name from the Value dropdown and click on the Save button.
    • SAML Single Sign On (SSO) using Oracle Identity Cloud Service, Attribute Mapping

SAML Single Sign On (SSO) using Oracle Identity Cloud Service,Oracle Cloud SSO login  Assigning Groups/People

  • After creating and configuring the app, go to Users / Groups tab.
  • Here we can add the users and groups you want to give access to log in through this app. Assign this to the people/group you would to give access to.
    • SAML Single Sign On (SSO) using Oracle Identity Cloud Service, Assigning users

SAML Single Sign On (SSO) using Oracle Identity Cloud Service,Oracle Cloud SSO login  Import IDP Metadata

  • Go to the SSO Configuration.
  • Click on the Download Identity Provider Metadata button to download the metadata.
    • SAML Single Sign On (SSO) using Oracle Identity Cloud Service, Import Metadata

Step 1: Setup Oracle Enterprise Manager as Identity Provider

    All the information required to configure the Oracle Enterprise Manager as IDP i.e. plugin’s metadata is given in the Service Provider Info tab of the miniOrange plugin.

    • Login to your Oracle Enterprise Manager (OEM) Console. From side menu go to Identity and AccessOracle Identity Federation (OIF).
    • Select the Oracle Identity Federation dropdown from top. Go to AdministrationService  Provider.

      • SAML Single Sign On (SSO) using Oracle Identity Provider, Select Service Provider
    • In the Service Provider section, select the SAML 2.0 tab.
    • Check Map User via NameID.
    • Under Protocol Settings, check Enable SAML 2.0 Protocol.
    • Configure the additional SAML settings.
      • SAML Single Sign On (SSO) using Oracle Identity Provider, Service Provider Configuration SAML Single Sign On (SSO) using Oracle Identity Provider, Service Provider Configuration
    • Now, Select the Oracle Identity Federation dropdown from top. Go to Administration  Security and Trust.
    • Navigate to the Provider Metadata tab.
    • Select Identity Provider in Provider Type dropdown and click Generate button to download metadata.
      • SAML Single Sign On (SSO) using Oracle Identity Provider, Download IDP Metadata
    • Use the above metadata for further steps.

Step 1: Setup PingFederate as Identity Provider

All the information required to configure the Ping Federate as SAML IDP i.e. plugin’s metadata is given in the Service Provider Info tab of the miniOrange plugin.


      • Login to your Ping Federate user admin dashboard.
      • Click on the Identity Provider in the left navigation menu.
      • Under SP CONNECTION, click on Create New button.
        • SAML Single Sign On (SSO) using PingFederate Identity Provider, Add New SP Connection
      • Select the Browser SSO Profiles connection template on the Connection Type tab and click Next.
        • SAML Single Sign On (SSO) using PingFederate Identity Provider, SSO Connection type
      • Select Browser SSO on the Connection Options tab and click Next.
        • SAML Single Sign On (SSO) using PingFederate Identity Provider, SSO Connection Options
      • Select File as the method for importing metadata and click Choose File to choose the miniOrange SSO plugin’s metadata on the Import Metadata tab or you can add SP Metadata information manually by selecting the None Option. You will need to copy SP Entity ID, SP ACS URL, and Certificate from Service Provider Tab.
        • SAML Single Sign On (SSO) using PingFederate Identity Provider, Import Metadata
      • Review the information on the Metadata Summary tab and click Next.
      • In the General Info tab ensure that the Service Provider’s Entity ID, Connection Name, and Base URL fields pre-populate based on the metadata. Click Next.
      • Navigate to the Browser SSO tab and click on the Configure Browser SSO. You will be redirected to Browser SSO Setup wizard.
          • 1) Select the IdP-Initiated SSO and SP-Initiated SSO options on the SAML Profiles tab and click     Next.

          SAML Single Sign On (SSO) using PingFederate Identity Provider, Browser SSO Profile
          2) Enter your desired assertion validity time from on the Assertion Lifetime tab and click Next.     By default, it is configured 5 minutes for both.

          3) Navigate to the Assertion Creation and click on the Configure Assertion Creation. You will be redirected to the assertion creation setup wizard.

            I. In the Identity Mapping tab select STANDARD and click Next.

            II. Select a Subject Name Format for the SAML_SUBJECT on the Attribute Contract tab and click Next.

            III. Click Map New Adapter Instance on the Authentication Source Mapping.

            SAML Single Sign On (SSO) using PingFederate Identity Provider, Assertion Creation
            IV. Select an Adapter Instance and click Next. The adapter must include the user’s email     address.

            SAML Single Sign On (SSO) using PingFederate Identity Provider, Select Adapter Instance
            V. Select the Use only the adapter contract values in the SAML assertion option on the     Mapping Method tab and click Next.

            VI. Select your adapter instance as the Source and the email as the Value on the Attribute     Contract Fulfilment tab and click Next.

            SAML Single Sign On (SSO) using PingFederate Identity Provider, Attribute Contract Settings
            VII. (Optional) Select any authorization conditions you would like on the Issuance Criteria        tab and click Next.

            VIII. Click Done on the Summary.

            IX. Click Next on the Authentication Source Mapping tab.

            X. Click Done on the Summary tab.

            XI. Click Next on the Assertion Creation

        • Navigate to the Protocol Settings tab of the Browser SSO wizard and click on the Configure Protocol settings.

            1) Select POST for Binding and specify the single sign-on endpoint URL in the Endpoint     URL field on the Assertion Consumer Service URL. Click Next.

            SAML Single Sign On (SSO) using PingFederate Identity Provider, SSO Protocol Settings
            2) Select POST on the Allowable SAML Bindings tab and click Next.

            3) Select your desired signature policies for assertions on the Signature Policy tab and     click Next.

            SAML Single Sign On (SSO) using PingFederate Identity Provider, Signature Policy for Assertion
            4) Select your desired encryption policy for assertions on the Encryption Policy tab and     click Next.

            5) Click Done on the Protocol Settings Summary tab.

            6) Click Done on the Browser SSO Summary.

        • Navigate to the Credentials and click on the Configure Credentials. You will be redirected to the Credentials setup wizard.
            1) Select the Signing Certificate to use with the Single Sign-On service and select Include the certificate in the signature element in the Digital Signature Settings tab. Click Done.

            SAML Single Sign On (SSO) using PingFederate Identity Provider, Digital Signature Settings
            2) Click Done on the Summary.

            3) Click Next on the Credentials.

        • Select Active for the Connection Status on the Activation & Summary tab and click Save.
        • Now, navigate to the Ping Federate User Admin dashboard Identity Provider.
        • Click Manage All under SP Connections.
        • Click Export Metadata for the desired service provider connection.
        • Click Export on the Export & Summary tab and click Done.

Step 1: Setup Salesforce as Identity Provider

      • Log into your Salesforce account.
      • Switch to Salesforce Classic mode from profile menu and then go to the Setup page.
      • From the left pane, select Security ControlsIdentity Provider.
      • In the Service Provider section, click on the link to create the Service Provider using Connected Apps.
        • SAML Single Sign on (SSO) using Salesforce Identity Provider, Create SP via connected apps

      • Enter Connected App Name, API Name and Contact Email.
        • SAML Single Sign on (SSO) using Salesforce Identity Provider, Fill connected apps details

      • Under the Web App Settings, check the Enable SAML checkbox and enter the following values:
        • Entity ID SP-EntityID / Issuer from Service Provider Info Tab
        ACS URL ACS (AssertionConsumerService) URL from Service Provider Info Tab
        Subject Type Username
        Name ID Format urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
      • Now from the left pane, under Administer section, go to Manage AppsConnected Apps. Click on the app you just created.
      • Under Profiles section click Manage Profiles button and select the profiles you want to give access to log in through this app.
      • Under SAML Login Information, click on Download Metadata.
      • Keep this metadata handy for the next steps.
        • SAML Single Sign on (SSO) using Salesforce Identity Provider, Download Identity Providers metadata

Step 1: Setup Shibboleth2 as Identity Provider

      • In conf/relying-party.xml, configure Service Provider like this
        • <MetadataProviderxsi:type="InlineMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata" id="MyInlineMetadata">
          <EntitiesDescriptorxmlns="urn:oasis:names:tc:SAML:2.0:metadata">
            <md:EntityDescriptorxmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="<ENTITY_ID_FROM_PLUGIN>">
              <md:SPSSODescriptorAuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration=
                  "urn:oasis:names:tc:SAML:2.0:protocol">
                <urn:oasis:names:tc:SAML:1.1:nameidformat:emailAddress</md:NameIDFormat>
                <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:https-POST"
                  Location="<ACS_URL_FROM_PLUGIN>" index="1"/>
              </md:SPSSODescriptor>
            </md:EntityDescriptor>
          </EntitiesDescriptor>
        </MetadataProvider>


      • Make sure your Shibboleth server is sending Email Address of the user in Name ID. In attribute-resolver.xml, get the email attribute as Name ID:
        • <resolver:AttributeDefinitionxsi:type="ad:Simple" id="email" sourceAttributeID="mail">
           <resolver:Dependency ref="ldapConnector" />
           <resolver:AttributeEncoderxsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:1.1:
            nameid-format:emailAddress"/>
        </resolver:AttributeDefinition>

      • In attribute-filter.xml, release the email attribute:
        • <afp:AttributeFilterPolicy id="releaseTransientIdToAnyone">
        <afp:PolicyRequirementRulexsi:type="basic:ANY"/>
          <afp:AttributeRuleattributeID="email">
            <afp:PermitValueRulexsi:type="basic:ANY"/>
          </afp:AttributeRule>
        </afp:AttributeFilterPolicy>

      • Restart the Shibboleth server.
      • You need to configure these endpoints in miniOrange plugin.
        • IDP Entity ID https://<your_domain>/idp/shibboleth
        Single Login URL https://<your_domain>/idp/profile/SAML2/Redirect/SSO
        X.509 Certificate The public key certificate of your Shibboleth server

Step 1: Setup Shibboleth3 as Identity Provider

      • In conf/idp.properties, uncomment and set 'idp.encryption.optional' to true.
           eg. idp.encryption.optional = true
      • In conf/metadata-providers.xml, configure Service Provider like below.
        • <MetadataProvider xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata"
          id="miniOrangeInLineEntity" xsi:type="InlineMetadataProvider" sortKey="1">
          <samlmd:EntityDescriptor ID="entity" entityID="<SP-EntityID / Issuer from Service Provider Info tab in plugin.>"
            validUntil="2020-09-06T04:13:32Z">
            <samlmd:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true"
            protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
              <samlmd:NameIDFormat>
                urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
              </samlmd:NameIDFormat>
            <samlmd:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
            Location="<ACS (AssertionConsumerService) URL from Step1 of the plugin under Identity Provider Tab.>"
              index="1" />
            </samlmd:SPSSODescriptor>
            </samlmd:EntityDescriptor>
        </MetadataProvider>

      • In conf/saml-nameid.properties, uncomment and set default NameID as Email Address like this
        • idp.nameid.saml2.default=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

      • In conf/saml-nameid-xml, search for shibboleth.SAML2NameIDGenerators. Uncomment the shibboleth.SAML2AttributeSourcedGenerator bean and comment all other ref beans.
        • <!-- SAML 2 NameID Generation -->
        <util:list id="shibboleth.SAML2NameIDGenerators">
          <!--<ref bean="shibboleth.SAML2TransientGenerator" /> -->
          <!-->ref bean="shibboleth.SAML2PersistentGenerator" /> -->
          <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
          p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
          p:attributeSourceIds="#{ {'email'} }" />
        </util:list>

      • Make sure you have defined AttributeDefinition in conf/attribute-resolver.xml.
        • <!-- Note: AttributeDefinitionid must be same as what you provided in attributeSourceIds in conf/saml-nameid.xml -->
        <resolver:AttributeDefinitionxsi:type="ad:Simple" id="email" sourceAttributeID="mail">
          <resolver:Dependency ref="ldapConnector" />
          <resolver:AttributeEncoderxsi:type="enc:SAML2String" name="email" friendlyName="email" />
        </resolver:AttributeDefinition >

        <resolver:DataConnector id="ldapConnector" xsi:type="dc:LDAPDirectory" ldapURL="%{idp.authn.LDAP.ldapURL}"
          baseDN="%{idp.authn.LDAP.baseDN}" principal="%{idp.authn.LDAP.bindDN}"
          principalCredential="%{idp.authn.LDAP.bindDNCredential}">
          <dc:FilterTemplate>
            <!-- Define you User Search Filter here -->
            <![CDATA[ (&(objectclass=*)(cn=$requestContext.principalName)) ]]>
          </dc:FilterTemplate>

          <dc:ReturnAttributes>*</dc:ReturnAttributes>
        </resolver:DataConnector>

      • Make sure you have AttributeFilterPolicy defined in conf/attribute-filter.xml.
        • <afp:AttributeFilterPolicy id="ldapAttributes">
        <afp:PolicyRequirementRulexsi:type="basic:ANY"/>
          <afp:AttributeRuleattributeID="email">
            <afp:PermitValueRulexsi:type="basic:ANY"/>
          </afp:AttributeRule>
        </afp:AttributeFilterPolicy>

      • Restart the Shibboleth server.
      • You need to configure these endpoints in the miniOrange plugin.
        • IDP Entity ID https://<your_domain>/idp/shibboleth
        Single Login URL https://<your_domain>/idp/profile/SAML2/Redirect/SSO
        Single Logout URL https://<your_domain>/idp/shibboleth
        X.509 Certificate The public key certificate of your Shibboleth server

Step 1: Setup SimpleSAML as Identity Provider

      • In config/config.php, make sure that 'enable.saml20-idp' is true. Example: ‘enable.saml20-idp’ => true
      • In metadata/saml20-idp-hosted.php, configure SimpleSAML as an Identity Provider by adding code below:
        $metadata['__DYNAMIC:1__'] = array(
            'host' => '__DEFAULT__',
            /* X.509 key and certificate. Relative to the cert directory.*/
            'privatekey' => '<YOUR_PRIVATE_KEY_FILE_NAME>',
            //eg. RSA_Private_Key.pem 'certificate' => '<YOUR_PUBLIC_KEY_FILE_NAME>',
            //eg. RSA_Public_Key.cer
            /* Authentication source to use. Configured in 'config/authsources.php'. */
            'auth' => '<YOUR_AUTH_SOURCE_NAME>',
        );

      • In metadata/saml20-sp-remote.php, register your Servider Provider like this:
        /* Replace example.com with your atlassian domain name. */
        $metadata['https://example.com/plugins/servlet/saml/metadata'] = array(
            'AssertionConsumerService' => 'https://example.com/',
            'SingleLogoutService'      => 'https://example.com/',
            'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
            'simplesaml.nameidattribute' => 'mail',
            'simplesaml.attributes'      => true, 
            'attributes' => array('mail', 'givenname', 'sn', 'memberOf'),
        );

Step 1: Setup WSO2 as Identity Provider

      • Login to your WSO2 admin console.
      • Select Add under the Service Providers tab.
      • Select mode as Manual Configuration.
      • Enter the Service Provider Name and click on Register button.
        • SAML Single Sign On (SSO) using WSO2 as Identity Provider, Add Service Provider Manually
      • Select Upload SP certificate option under SP Certificate Type.
      • Copy the certificate from plugin and provide it into Application Certificate field.
      • You can also download the certificate file and upload it through Browse file option.
        • SAML Single Sign On (SSO) using WSO2 as Identity Provider, Add Service Provider Manually
      • Under Claim Configuration, select Use Local Claim Dialect.
      • For Requested Claims, add http://wso2.org/claims/emailaddress as a claim URI.
      • Set Subject Claim URI to http://wso2.org/claims/nickname.
      • Under Inbound Authentication Configuration > SAML2 Web SSO Configuration, click Configure.
        • SAML Single Sign On (SSO) using WSO2 as Identity Provider, Claim Configuration
      • Enter Issuer value as provided under the Service Provider Info tab of the plugin.
      • Enter Assertion Consumer URL (ACS) as provided under Service Provider Info tab and click on Add.
      • Check Enable Response Signing.
      • Check the Enable Attribute Profile and include attributes in the response always.
        • SAML Single Sign On (SSO) using WSO2 as Identity Provider, Configuring Service Providers Meta Details
      • Check the Enable Audience Restriction.
      • Enter the Audience URL value provided under Service Provider Info tab of plugin and click on Add.
      • Check the Enable Recipient Validation. Enter the Recipient URL value provided under Service Provider Info tab of plugin and click on Add.
      • Click on Download IDP Metadata button save the IDP metadata file.
      • Click on Register to save the configuration.
        • SAML Single Sign On (SSO) using WSO2 as Identity Provider, Enable Audience validation and Download IDP Metadata File
      • Click on Update on Service Providers page to save the configuration.
      • Select Resident under Identity Providers tab from the menu.
      • Enter Home Realm Identifier value that you want (usually your WSO2 server address).
        • SAML Single Sign On (SSO) using WSO2 as Identity Provider, Set Home Realm Identifier URL
      • Click on Update to save the changes.

Step 4: Configure Helpdesk SSO with miniOrange

a. Get metadata from Helpdesk SSO

  • In your Jira Cloud instance, click on the Apps drop-down menu and select SAML SSO for JSM Customers.
  • Go to SP Configuration tab. Here you can access the metadata information to configure IDP.
    • SAML Single Sign On (SSO) helpdesk sso metadata

b. Create an app inside miniOrange

  • Login into miniOrange Admin Console.
  • Go to Apps and click on the Add Application button.
    • SAML Single Sign On (SSO) miniOrange add app
  • Then click on SAML/WS-FED app.
    • SAML Single Sign On (SSO) miniOrange choose saml app
  • Enter details copied from Helpdesk SSO add-on and click on Save.
    • Please make sure to enable Sign Response and Sign Assertion while adding an app.
    SAML Single Sign On (SSO) miniOrange add app details

c. Add miniOrange as IDP in Helpdesk SSO

  • In miniOrange Admin Dashboard, go to Apps from the left sidebar. Click on the Select dropdown next to your created app.
    • SAML Single Sign On (SSO) miniOrange app metadata details
  • Click on Show Metadata Details under the section INFORMATION REQUIRED TO AUTHENTICATE VIA EXTERNAL IDPS. You will need these metadata details in order to configure Helpdesk SSO add-on.
    • SAML Single Sign On (SSO) miniOrange app metadata IDP details
  • Import metadata details or manually enter inside the helpdesk add-on.
    • SAML Single Sign On (SSO) miniOrange helpdesk import metadata
    By default, this setup will redirect the user to the default IDP. To display the IDP selection page to users, you must replace the Single Sign On URL in the IDP Configuration tab of the helpdesk with the SAML Login URL (IDP Selection Page) in the miniOrange app metadata.

d. Generate API Token for Authentication

  • Before attempting to perform SSO in the Helpdesk you have to configure an API token. This token is required for performing SSO.
  • Note : If you have not created an API token yet, you can do so by visiting Generate API Token page. Visit this page and click on Create API Token. Enter any label and click on Create. Please make sure to copy this API token as it will be necessary for additional configuration.
  • Open Getting Started page for SAML SSO for JSM Customers app.
  • Click on Jira Configuration tab from the left sidebar. Then click on Configure Api Token button.
  • Enter site admin's email and API token in the popup and click on Submit.

e. Perform SSO in your Helpdesk portal

  • In Jira Configuration tab, copy the link to the project in which you want to test SSO.
  • Open your browser ( preferred incognito mode for testing ) and paste the link your IDP login page should appear. Login with your IDP account and you will also be logged in the Helpdesk Project.

miniorange img  Hi! Do you need help with this guide?




 Thank you for your response. We will get back to you soon.

Something went wrong. Please submit your query again

Sync product to woocommerce store from Amrod

Recommended Add-Ons

Two Factor Authentication

Enable 2FA/MFA for users & groups and let users configure 2FA during their first login.

Know More

User Sync SCIM Provisioning

Synchronize users, groups & directory with SCIM & REST APIs for Server/DC.

Know More

API Token Authentication

Secure your JIRA Data Center/Server REST API using API Tokens.

Know More


Free Trial

If you don't find what you are looking for, please contact us at support-atlassian@miniorange.atlassian.net or raise a support ticket here.