Setting Up SAML Single Sign-On in Jira with Keycloak IDP
In the latest Jira products, including Jira Software and Jira Service Management, users can configure their own SAML/OAuth2 Identity Provider (IDP) without needing any plugins or extensions. This guide will help you configure SAML in your Jira application using Keycloak as the SAML IDP.
1. Create Keycloak SAML client as Identity Provider
Log in to your Keycloak account, select your realm to create your client for Jira authentication
Navigate Client → Create client
Configure the client with the following required values:
| Key | Value |
| Client ID | https://{jira_host} |
| Root URL | https://{jira_host}/ |
| Home URL | https://{jira_host}/ |
| Valid redirect URIs | https://{jira_host}/* |
| IDP-Initiated SSO URL name | https://{keycloak_host}/realms/master/protocol/saml |
| Master SAML Processing URL | https://{jira_host}/plugins/servlet/samlconsumer |
| Name ID format | |
| Force name ID format | On |
| Force POST binding | On |
| Include AuthnStatement | On |
| Sign documents | On |
| Sign assertions | On |
Switch to Key tab, turn off Signing keys config:
Switch to Client scopes tab:
Change role_list to Optional (if your client had). It will prevent Attribute element with duplicated Name error
Choose the dedicated Assigned client scope to add new mappers:
Next, config Group list and User Property:
Configure a new mapper:
Add
memberOfas Group list to allow Jira to get your member groups:Add
firstName,lastName,emailas User Property to allow Jira to get users information
Switch to Advanced tab, config
https://{jira_host}/plugins/servlet/samlconsumeras Assertion Consumer Service POST Binding URL and Logout Service POST Binding URL:
Navigate Realms Setting, choose Key tab, see RS256 and copy and remember the Certificate for next step:
2. Config Jira authentication method
The latest Jira products support authentication methods that allow authentication via SAML/OAuth2:
Now, let's configure SAML as Single Sign-On in Jira. I will use Jira Service Management as an example:
Access https://{jira_host}/plugins/servlet/authentication-config (change your DNS) or click the top right gear icon, choose System, navigate Authentication methods in left navbar, choose Add configuration. Fill the Name and choose SAML as Authentication method
Next fill the Name and required options for SAML SSO settings as table below:
| Key | Value |
| Single sign-on issuer | https://{keycloak_host}/realms/{realms} |
| Identity provider single sign-on URL | https://{keycloak_host}/realms/{realms}/protocol/saml |
| X.509 Certificate | Paste certificate which obtain in previous step |
| Username mapping | ${NameID} |
| Name ID Policy | Email Address |
| Sign requests | Off/Uncheck |
- If you want JIT to allow users to be created and updated automatically when they log in through SSO to Atlassian Data Center applications, specify as below:
Config remain options and click Save configuration to finish:
Back to Authentication methods, we have configured SAML:
Click Action, Test sign-in
Login with your SAML account, and then we accessed Jira:
You have successfully configured SAML authentication for Jira Service Management using Keycloak as the Identity Provider. This setup will streamline the login process for your Jira applications, making it easier for users to access them.
