Skip to main content

How to secure Atlassian products (Jira, Confluence, Bitbucket)

License requirements

This guide will require the Atlassian Access license to be able to configure SAML SSO.

Atlassian has a SAML SSO feature which uses SAMLv2 so you can link the accounts within your organizations with identities of your identity provider to make it easier to manage users. You can use this feature to link your Atlassian products with XFA to make sure that the devices that are used to access your Atlassian products are secure.

Note: This article assumes that you have an account set up with XFA for your organization and your are an admin for that organization. If you do not have an account, you can create one at https://dashboard.xfa.tech/signup.

Configure Atlassian in your identity provider

Use our specific identity provider guides to learn how to setup an application with the provided settings.

SAML Application Settings in IDP

Entity ID: https://auth.atlassian.com/saml/<...> (provided by Atlassian)
ACS URL / Redirect URL: https://device-api.xfa.tech/saml2/consume
Signed Response: false

warning
  • The Entity ID is unique to your organization and can be found in the Atlassian Access settings, you might need to come back to this step after you have enabled SAML SSO in Atlassian.
  • The ACS URL / Redirect URL is different than the standard Monday.com configuration

Creating an application in XFA

A guide on how to create an application in XFA can be found here.

Settings to use in XFA

Assertion Consumer Service URL: https://auth.atlassian.com/login/callback?connection=saml-<...> (provided by Atlassian)
SSO URL: (provided by identity provider)
Entity ID: (provided by identity provider)
Certificate: (provided by identity provider)\

warning
  • The Assertion Consumer Service URL is unique to your organization and can be found in the Atlassian Access settings, you might need to come back to this step after you have enabled SAML SSO in Atlassian.

Configure your Atlassian organization to use XFA

1. Login to admin.atlassian.com and go to the "Security" tab

2. Click on "Identity providers" and pick "Other Provider"

3. Provide a name for the identity provider

We recommend XFA + Google/Microsoft

4. Continue to "Set up SAML single sign-on"

Use the following settings to configure your Atlassian organization with XFA.

Settings to use in Atlassian

Identity provider Entity ID: (from XFA application)
Identity provider SSO URL: (from XFA application)
Public x509 certificate: (from XFA application)

5. Copy the settings from Atlassian

  • Copy the Service provider entity URL to your identity provider settings (see the Configure Atlassian in your identity provider section above).
  • Copy the Service provider assertion consumer service URL to your identity provider settings (see the Create an application in XFA section above).

You can automatically associate users with your identity provider by linking the domains of your organization to the identity provider. This will make sure that any user with an email address from the linked domain will be asked to verify their identity with your identity provider.

This will be mandatory if you want to make the usage of SSO mandatory for all users.

Note: Adding a new domain will ask you to "Verify your company domain" by adding a TXT record to your DNS settings. This will allow Atlassian to verify that you are the owner of the domain.

Note: You will need to claim all accounts associated with the domain before you can link the domain to the identity provider.

Start onboarding users

To (optionally) use SSO and XFA, users need to be added to the identity provider and have their email address associated with the identity provider. This can be done by linking the domains of your organization to the identity provider. (see the Link domains to identity provider section above) or by manually adding users to the identity provider.

To make this mandatory, change the identity provider under _Security > Authentication Policies > (your identity provider) > Edit and enable Enforce single sign-on. Confirm by hitting the Update button.

Users can now use SSO to log into Atlassian, and XFA will check the security posture of the device to make sure that any device that is used to access Atlassian is secure.