An In-depth Guide to Atlassian Cloud OAuth Single Sign-On (SSO) with AWS Cognito

With Jira OAuth Single Sign-On (SSO) for Atlassian Cloud, you can securely log in to Jira Cloud using your AWS Cognito credentials. This app allows you to perform seamless Single Sign-On (SSO) into your Atlassian Access or Jira/Confluence Cloud accounts using your existing OAuth Provider credentials.

Pre-requisites

1. Atlassian Guard (Atlassian Access) Subscription:

Atlassian Guard is an additional subscription applied across the Atlassian Cloud products like Jira Software, Jira Service Management, Jira Work Management, Confluence, and Bitbucket. It is needed for Single Sign-On (SSO) or any Cloud Service that comes under Atlassian Guard.

2. Domain Verification:

The first step of Atlassian Guard starts with the Domain Verification process to enforce SSO on the managed user accounts. This process verifies that you own a valid domain for managing the user accounts and use the same domain name for the email addresses.

Download And Installation

  • Log into your Jira instance as an admin.
  • Navigate to Apps → Explore more apps from the header menu.
  • Next, search for the miniOrange OAuth/OpenID SSO app.
  • Click on Try it free to begin a new trial of the app.
  • On the menu bar click on Apps and locate the OAuth/OpenID SSO app and click .

In this guide, we will demonstrate the setup in three parts:

    1: Configure OAuth SSO connection between miniOrange App (as OAuth Client) and AWS Cognito (as OAuth Provider).

    2: Configure SAML SSO connection between Atlassian Guard (as SP) and miniOrange App (as IDP).

    3: Add users to the SSO Authentication policy, and enforce the SSO.


Step 1: Configure AWS Cognito as a OAuth Provider

  • Once the plugin is installed select the Apps dropdown from the top menu and click on mO Jira OAuth/OIDC SSO option.
    • Jira app main menu with the Apps section open and the mO Jira OAuth/OIDC SSO app highlighted
  • Next, you will be prompted with a welcome pop-up window. Click Start Configuration.
    • Welcome window of mO Jira OAuth/OIDC SSO app.
  • Copy the Callback URL and keep it handy as it will be required while setting up the OAuth application in AWS Cognito.
    • Callback URL from mO Jira OAuth/OIDC SSO app to be configured in the OAuth Provider
  • After copying the callback URL, sign in to AWS Amazon.
  • Enter “Cognito” in search textbox & select Cognito from dropdown.
    • Select AWS Cognito from the dropdown, Jira OAuth AWS Cognito
  • Go to “Manage User Pools” option.
    • select manage user pools in AWS Cognito, Jira OAuth AWS Cognito
  • Click on “Create a user pool”.
    • create user pool in AWS Cognito, Jira OAuth AWS Cognito
  • Add pool name and select “Review Defaults”.
    • create user pool in AWS Cognito, Jira OAuth AWS Cognito
  • Click on “Add app client” & then click on Add an app client.
    • Add App Client in AWS Cognito, Jira OAuth AWS Cognito
  • Enter App client name & then Click on “Create app client”.
    • Create App Client in AWS Cognito, Jira OAuth AWS Cognito
  • Click on Return to pool details. After this click on “Create Pool”.
  • Navigate to App client settings.
    • Select “Cognito User Pool”, add callback URL copied from miniOrange app.
    • Also, select Authorization code grant as “Allowed OAuth Flows” & select OpenID as “Allowed OAuth Scopes”.
    • After selecting all details click on Save changes button.
    OAuth Client setting in AWS Cognito, Jira OAuth AWS Cognito
  • Go to “App client” and click on “Show details” to get a client ID and client secret.
    • client id and client secret in AWS Cognito, Jira OAuth AWS Cognito
  • Go to Domain name and enter a domain name for your app. After adding domain name you can check its availability by clicking on “Check availability” button. After entering valid domain name click “Save changes” button.
    • Domain name in AWS Cognito, Jira OAuth AWS Cognito
  • Complete domain name: The complete domain name that you need to enter in plugin is {your domain name}.auth.{region name}.amazoncognito.com
  • Add Users / Groups to Cognito App: Go to Users and groups and then click on Users. After this click on Create user.
    • OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Add Users / Groups
  • Fill all required informations and click on Create user.
    • OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Create user
  • Click on Groups and then click on Create group.
    • mO Jira OAuth/OIDC SSO app configuration page where you configure the Okta client credentials and Okta's OAuth endpoints
  • Fill all required informations and click on Create group.
    • OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Groups
  • Now, return to the miniOrange App configuration page and click Next from the Callback URL screen.
  • Select Application Type as OIDC. Enter Client ID, Client Secret, Scopes (such as openid, email, etc.), and other required endpoints. Then click Next.
    • OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Create group

Step 2: Set up SSO between Atlassian Guard and miniOrange

  • In the next window, you’ll find the Plugin Metadata details.
  • Copy IDP Entity ID, IDP SSO URL, and IDP Public X.509 Certificate and keep it handy. You’ll need these to configure the Identity Provider in the Atlassian Guard.
  • Open the Atlassian Admin Console and go to the Security tab.

    • Note: In case you manage multiple organizations, you’ll have to select the intended one after accessing the admin console.

  • Click on Identity providers and select Other provider.
    • On the Atlassian admin dashboard, under the Security tab in the Identity providers section with the Other provider option highlighted.
  • Provide an appropriate name, select Set up SAML Single Sign-On, and click Next.
  • Now, paste the IDP Entity ID, IDP SSO URL, and Public X.509 Certificate that you copied from the plugin configuration.
    • Copy SAML details from mO Jira OAuth/OIDC SSO app and configure it on Atlassian Guard under the add SAML details section
  • Click Next and copy the Service Provider Entity ID and Service Provider Assertion Consumer Service URL. Keep these handy as they’re required to complete the plugin configuration.
  • Complete the rest of the Atlassian Guard configuration
  • Once you’re done, return to the plugin configuration page, go to the SAML IDP Metadata tab, and click Next.
  • Enter the SP Entity ID and Assertion Consumer Service (ACS) URL that you copied, and click Next.
    • SAML SP configuration section in mO Jira OAuth/OIDC SSO app, where SP details are copied from Atlassian Guard

Step 3: Configure SSO Authentication Policy


Once all the SSO Configurations are done, you need to add users to the Authentication Policy and enforce Single Sign-On.

Follow these steps:

  • Log in to Atlassian Cloud Admin Console, and go to the Security tab.
  • Under the Authentication Policies section, find the respective SSO policy and click Edit.
  • Select the checkbox for Enforce single sign-on option, then go to the Members section and add the new users to the policy.
If you encounter any difficulties configuring miniOrange add-ons, please contact us at atlassiansupport@xecurify.com or raise a support ticket here.
OAuth Saml App

Other Cloud Apps

OAuth/OIDC SSO
Jira Authentication for Data Center, Cloud with OAuth/OIDC Login- Keycloak, Azure AD, Google Apps, AWS Cognito, ADFS, Okta, GitHub.
Request For Demo
Two Factor Authentication
Enable 2FA/MFA for users & groups and let users configure 2FA during their first login.
Request For Demo
SSO + Two Factor Authentication
Enable 2FA/MFA with Single Sign On(SSO) for users & groups and let users configure 2FA with SSO during their first login.
Request For Demo
LDAP Authentication
SSO into your Jira cloud instance using LDAP/AD credentials.
Request For Demo
Secure Share Issue
Share your Jira with Password Protected Jira Links. Unlock External Share for Jira with mO Secure Share Issues.
Request For Demo
WORD/PDF Exporter
Jira Issue Exporter downloads in PDF & Word format. Export Issues for Jira using a single click Jira Exporter for Cloud and Data Center/DC
Request For Demo

Additional Resources