Contents

An In-depth Guide to Atlassian Cloud OAuth Single Sign-On (SSO) with AWS Cognito

With Jira OAuth Single Sign-On (SSO) for Atlassian Cloud, you can securely log in to Jira Cloud using your AWS Cognito credentials. This app allows you to perform seamless Single Sign-On (SSO) into your Atlassian Access or Jira/Confluence Cloud accounts using your existing OAuth Provider credentials.

Pre-requisites

1. Atlassian Guard (Atlassian Access) Subscription:

Atlassian Guard is an additional subscription applied across the Atlassian Cloud products like Jira Software, Jira Service Management, Jira Work Management, Confluence, and Bitbucket. It is needed for Single Sign-On (SSO) or any Cloud Service that comes under Atlassian Guard.

2. Domain Verification:

The first step of Atlassian Guard starts with the Domain Verification process to enforce SSO on the managed user accounts. This process verifies that you own a valid domain for managing the user accounts and use the same domain name for the email addresses.

Download And Installation

Log into your Jira instance as an admin.
Navigate to Apps → Explore more apps from the header menu.
Next, search for the miniOrange OAuth/OpenID SSO app.
Click on Try it free to begin a new trial of the app.
On the menu bar click on Apps and locate the OAuth/OpenID SSO app and click .

In this guide, we will demonstrate the setup in three parts:

1: Configure OAuth SSO connection between miniOrange App (as OAuth Client) and AWS Cognito (as OAuth Provider).

2: Configure SAML SSO connection between Atlassian Guard (as SP) and miniOrange App (as IDP).

3: Add users to the SSO Authentication policy, and enforce the SSO.

Step 1: Configure AWS Cognito as a OAuth Provider

Once the plugin is installed select the Apps dropdown from the top menu and click on mO Jira OAuth/OIDC SSO option.

Jira app main menu with the Apps section open and the mO Jira OAuth/OIDC SSO app highlighted

Next, you will be prompted with a welcome pop-up window. Click Start Configuration.

Welcome window of mO Jira OAuth/OIDC SSO app.

Copy the Callback URL and keep it handy as it will be required while setting up the OAuth application in AWS Cognito.

Callback URL from mO Jira OAuth/OIDC SSO app to be configured in the OAuth Provider

After copying the callback URL, sign in to AWS Amazon.

AWS Cognito SSO - Login to your AWS Cognito Application

Search for Cognito in the AWS Services search bar as shown below.

AWS Cognito SSO - Search Cognito in App Services

Click on Create a User Pool button to create a new User Pool.

Select the Application type as a Traditional web application. Provide a name for your application and choose the attributes in your user pool to be used during the sign-in process. Select the attributes that you require during the sign-up process from the Required attributes for the sign-up section.

AWS Cognito SSO - Provide User Pool Details

Add callback URL in the Return URL field under the Add a Return URL section. You will get this callback URL from the plugin. Click on the Create button.

Scroll down and click on the Go to Overview button.

AWS Cognito SSO - Click on Go to Overview button

To configure how your user pool sends email messages to users, navigate to the Authentication methods under the Authentication tab and click on Edit under the Email section.

AWS Cognito SSO - Navigate to Authentication Tab

Here you can add email address from which your user pool sends email messages to users. Click on Save Changes.

AWS Cognito SSO - Provide Email to Send message

Navigate to the App Clients tab under the Applications section, and select your App Client. If you don't have an app client, then click on Create app client button.

AWS Cognito SSO - Navigate to App Client Section

Copy the Client ID and Client Secret and keep them handy as they will be used in further steps.

AWS Cognito SSO - Copy Client ID and Secret

Go to the Attribute permissions tab. Click on the Edit and select the attributes that you want during the sign-up process. Click on Save.

AWS Cognito SSO - Select Attributes you want in Shopify

Now go to the Login pages tab and click on the Edit button as shown in the below image.

AWS Cognito SSO - Click on Edit for SSO Configurations

Verify that the Callback URL is added to the URL field under the Allowed Callback URLs section and under the Identity Provider section, the Identity Provider selected is the Cognito user pool, and select Authorization code grant under the OAuth 2.0 grant types. Under the OpenID Connect scopes section the scopes selected are Email, OpenID, and Profile. (Please refer to the images below) Click on the Save Changes button.

AWS Cognito SSO - Select Authorization Code Grant

AWS Cognito SSO - OAuth Grant Type and Scopes

Go to the Users tab under the User Management section, and click Create user.

Enter details such as email address, phone number & password. Click on Create user to save the details.

AWS Cognito SSO - provide email, password

Now, return to the miniOrange App configuration page and click Next from the Callback URL screen.
Select Application Type as OIDC. Enter Client ID, Client Secret, Scopes (such as openid, email, etc.), and other required endpoints. Then click Next.

OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Create group

Step 2: Set up SSO between Atlassian Guard and miniOrange

In the next window, you’ll find the Plugin Metadata details.
Copy IDP Entity ID, IDP SSO URL, and IDP Public X.509 Certificate and keep it handy. You’ll need these to configure the Identity Provider in the Atlassian Guard.
Open the Atlassian Admin Console and go to the Security tab.

Note: In case you manage multiple organizations, you’ll have to select the intended one after accessing the admin console.

Click on Identity providers and select Other provider.

On the Atlassian admin dashboard, under the Security tab in the Identity providers section with the Other provider option highlighted.

Provide an appropriate name, select Set up SAML Single Sign-On, and click Next.
Now, paste the IDP Entity ID, IDP SSO URL, and Public X.509 Certificate that you copied from the plugin configuration.

Copy SAML details from mO Jira OAuth/OIDC SSO app and configure it on Atlassian Guard under the add SAML details section

Click Next and copy the Service Provider Entity ID and Service Provider Assertion Consumer Service URL. Keep these handy as they’re required to complete the plugin configuration.
Complete the rest of the Atlassian Guard configuration
Once you’re done, return to the plugin configuration page, go to the SAML IDP Metadata tab, and click Next.
Enter the SP Entity ID and Assertion Consumer Service (ACS) URL that you copied, and click Next.

SAML SP configuration section in mO Jira OAuth/OIDC SSO app, where SP details are copied from Atlassian Guard

Step 3: Configure SSO Authentication Policy

Once all the SSO Configurations are done, you need to add users to the Authentication Policy and enforce Single Sign-On.

Follow these steps:

Log in to Atlassian Cloud Admin Console, and go to the Security tab.
Under the Authentication Policies section, find the respective SSO policy and click Edit.
Select the checkbox for Enforce single sign-on option, then go to the Members section and add the new users to the policy.

If you encounter any difficulties configuring miniOrange add-ons, please contact us at atlassiansupport@xecurify.com or raise a support ticket here.