Jira Cloud

With Delinea as your Privileged Access Service, you can choose single-sign-on (SSO) access to the Jira Cloud web and mobile applications with IdP-initiated SAML SSO (for SSO access through the Admin Portal) or SP-initiated SAML SSO (for SSO access directly through the Jira Cloud web application) or both. Providing both methods gives you and your users maximum flexibility.

If Jira Cloud is the first application you are configuring for SSO through Privileged Access Service, read these topics before you get started:

Jira Cloud SSO Requirements

Before you configure the Jira Cloud web application for SSO, you need the following:

• A Jira Cloud account.

• An organization administrator and Jira Cloud site administrator (user with admin permission in the group “site-admins”)

• Domains of SSO users’ email addresses added and verified before configuration.

Configuring Your Organizations

Atlassian uses organizations to manage your domains and user accounts, providing control and visibility across your Atlassian Cloud applications. Setting up your organization and verifying a domain are pre-requisites to configuring SSO. Refer to https://confluence.atlassian.com/cloud/organization-administration-938859734.html for more information about configuring your organization with Atlassian.

Adding and Configuring Jira Cloud in Admin Portal

The following steps are specific to the Jira Cloud application and are required in order to enable SSO for Jira Cloud. For information on optional configuration settings available in the Delinea Admin Portal, see Optional Configuration Settings.

To add and configure the Jira Cloud application in the Admin Portal:

1. In the Admin Portal, select Apps > Web Apps, then click Add Web Apps.

   The Add Web Apps screen appears.

   

2. On the Search tab, enter the partial or full application name in the Search field and click the search icon.

   

3. Next to the application, click Add.

4. In the Add Web App screen, click Yes to confirm.

5. Click Close to exit the Application Catalog.

   The application that you just added opens to the Settings page.

6. Click the Trust page to begin configuring the application.

   

   The UI is evolving in order to simplify application configuration. For example, many of the settings previously found on the Application Settings page are now on the Trust page. You might have to select Manual Configuration to expose those settings, as shown in the following example.

   

   Any previously configured applications retain their configuration and do not require reconfiguration. If you are configuring an application for the first time, refer to the Trust page for any settings previously found on the Application Settings page.

   In addition, the description of how to choose and download a signing certificate in this document might differ slightly from your experience. See Choose a Certificate File for the latest information.

Configuring Jira Cloud for SSO

You need organization administrator privileges to perform these steps.

Tip: It can be useful to open the web application and Admin Portal simultaneously and have them both open, perhaps side by side. As part of the SSO configuration process, you’ll need to copy and paste settings between the two browser windows.

The following steps are specific to the Jira Cloud application and are required in order to enable SSO for Jira Cloud. For information on optional configuration settings available in the Delinea Admin Portal, see Optional Configuration Settings.

To configure Jira Cloud for SSO:

1. Return to the browser tab where you added and verified email addresses. If that browser tab is no longer active, open a new browser tab and log in to Jira Cloud with an account that has ADMIN privileges in the group “site-admins” and is an organization administrator.

   Click Settings > User management, then navigate to Organizations & Security and select your verified domain.

   

2. Click SAML single sign-on.

   

3. On the Atlassian SAML single sign-on page, click Add SAML configuration.

4. On the Add SAML configuration screen, configure the following:

   Admin Portal >Application Settings	Copy/Paste Direction	Jira Cloud Website >Atlassian Site Administration	What you do
   Identity Provider Entity ID	-->	Identity Provider Entity ID	Copy the URL from the Admin Portal and paste here.
   Identity Provider SSO URL	-->	Identity Provider SSO URL	Copy the URL from the Admin Portal and paste here.
   Download Signing Certificate	-->	Public x509 Certificate	Click Download Signing Certificate in the Admin Portal and open the file in a text editor. Copy the contents and paste it here.

5. Click Save configuration.

6. Compare the following settings between the Atlassian SAML single sign-on page and the Application Settings page of the Delinea Admin Portal.

   The red arrows in the table below indicate the direction of the copy and paste operation between the two windows. For instance, the first arrow in the table below indicates that you copy the content from the indicated field on the Jira Cloud website and paste it into the corresponding field in the Privileged Access Service Admin Portal.

   Admin Portal >Application Settings	Copy/Paste Direction	Jira Cloud Website >Atlassian Site Administration	What you do
   SP Entity ID	<--	SP Entity ID	If the SP Entity ID is not: https://id.atlassian.com/login, copy the SP Entity ID from Jira Cloud and paste it in the Admin Portal Application Settings page.
   SP Assertion Consumer Service URL	<--	SP Assertion Consumer Service URL	If your SP Assertion Consumer Service URL is not: https://id.atlassian.com/login/saml/acs, copy the SP Assertion Consumer Service URL from Jira Cloud and paste it in the Admin Portal Application Settings page.

7. In the Privileged Access Service Admin Portal, configure User Access and Account Mapping.

8. Click Save.

Configuring Jira Cloud Mobile Apps for SSO

Jira Cloud provides mobile applications that support SSO for iOS and Android devices.

SP-initiated SSO will be launched after you enter the site name (subdomain) of your Jira Cloud and an email address with a verified domain.

For more information about Jira Cloud

See Configuring Jira Cloud for SSO for more information.

Jira Cloud Specifications

Each SAML application is different. The following table lists features and functionality specific to Jira Cloud.

Capability	Supported?	Support details
Web browser client	Yes
Mobile client	Yes	iOS and Android
SAML 2.0	Yes
SP-initiated SSO	Yes
IdP-initiated SSO	Yes
Force user login via SSO only	Yes	Users with an email address at a domain that has been verified must use SSO.
Separate administrator login after SSO is enabled	No
User or Administrator lockout risk	Yes
Automatic user provisioning	No
Multiple User Types	Yes	SSO works the same way for all admin and non-admin user types.
Self-service password	Yes	Users can reset their own passwords. Resetting another user’s password requires administrator rights.
Access restriction using a corporate IP range	Yes	You can specify an IP Range in the Admin Portal Policy page to restrict access to the application.