Integrate with Atlassian Cloud

Support level: Community

What is Atlassian Cloud?

Atlassian is a proprietary software company that specializes in collaboration tools designed primarily for software development and project management. Atlassian Cloud is their cloud platform and provides access to their popular apps, including Jira, Confluence, Bitbucket, Trello, and others.

-- https://www.atlassian.com/

This guide configures authentik as a SAML identity provider for Atlassian Cloud applications.

Atlassian Cloud user types

Atlassian Cloud has two types of users: internal users and external users.

Internal users are managed accounts from a domain that is verified in Atlassian Cloud. Internal users can use SAML SSO without Atlassian Cloud credentials.

External users log in with Atlassian Cloud credentials first, and are then prompted for authentik credentials when they access protected Atlassian Cloud apps.

Preparation

The following placeholders are used in this guide:

• authentik.company is the FQDN of the authentik installation.

SAML SSO for Atlassian Cloud apps requires an Atlassian Guard Standard subscription, a verified domain, and an identity provider directory in Atlassian Cloud. Domain verification and directory ownership are Atlassian-side prerequisites and are outside the scope of this integration guide.

info

This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.

authentik configuration

To support the integration of Atlassian Cloud with authentik, you need to create SAML property mappings and an application/provider pair in authentik.

Create property mappings

Atlassian Cloud expects an email NameID and a stable user ID attribute. Create Atlassian-specific mappings so the stable user ID is not based on the user's email address or display name.

1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to Customization > Property Mappings and click Create.
3. Create three SAML Provider Property Mapping entries with the following settings:

   • User ID mapping:

     • Name: Atlassian Cloud user ID

     • SAML Attribute Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

     • Expression:

       return str(request.user.uuid)

   • First name mapping:

     • Name: Atlassian Cloud first name

     • SAML Attribute Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

     • Expression:

       name = request.user.name.strip()
       return name.split(" ", 1)[0] if name else request.user.username

   • Last name mapping:

     • Name: Atlassian Cloud last name

     • SAML Attribute Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

     • Expression:

       name = request.user.name.strip()
       return name.rsplit(" ", 1)[1] if " " in name else ""

Create an application and provider in authentik

SAML provider changes in authentik 2026.5

authentik 2026.5 introduces changes to how the SAML provider behaves. Specifically, the provider now automatically sets the Issuer value to: https://authentik.company/application/saml/<application_slug>/metadata/

Older versions of authentik set this value to authentik by default. If you're running an older version, please set Issuer to https://authentik.company/application/saml/<application_slug>/metadata/, where <application_slug> is the slug that you selected for the application.

1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to Applications > Applications and click New Application to open the application wizard.
   • Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the Slug value because it is required later.
   • Choose a Provider type: select SAML Provider as the provider type.
   • Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     • Set the ACS URL to https://temp.temp. You will replace this after Atlassian provides the real assertion consumer service URL.
     • Set the Audience to https://temp.temp. You will replace this after Atlassian provides the real service provider entity URL.
     • Under Advanced protocol settings:
       • Select an available Signing Certificate.
       • Set NameID Property Mapping to authentik default SAML Mapping: Email.
       • Add the three property mappings that you created earlier to Selected User Property Mappings.
       • Remove authentik default SAML Mapping: Name from Selected User Property Mappings.
   • Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's Application Dashboard page.
3. Click Submit to save the new application and provider.

Download the signing certificate

1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to Applications > Providers and click the name of the SAML provider that you created for Atlassian Cloud.
3. Under Download signing certificate, click Download. The contents of this certificate are required in the next section.

Atlassian Cloud configuration

1. Log in to the Atlassian administrator portal as an Atlassian Cloud organization administrator.
2. Select your organization.
3. Navigate to Security > User security > Identity providers.
4. Choose Other provider.
5. Provide a directory name, for example authentik, and click Add.
6. Select the identity provider directory that you created, then click Set up SAML single sign-on.
7. Set the following required configurations:
   • Identity provider Entity ID: https://authentik.company/application/saml/<application_slug>/metadata/
   • Identity provider SSO URL: https://authentik.company/application/saml/<application_slug>/
   • Public x509 Certificate: enter the contents of the certificate that you downloaded from authentik.
8. Click Save configuration.
9. Copy the Service provider entity URL and Service provider assertion consumer service URL. These values are required in authentik.
10. If prompted, link the verified domains that should use this identity provider directory.

Update the authentik provider

1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to Applications > Providers and click the Edit icon for the Atlassian Cloud provider.
3. Update the following settings:
   • ACS URL: set to the Service provider assertion consumer service URL from Atlassian Cloud, such as https://auth.atlassian.com/login/callback?connection=saml-example.
   • Audience: set to the Service provider entity URL from Atlassian Cloud, such as https://auth.atlassian.com/saml/example.
4. Click Update.

Enable SSO in Atlassian Cloud

Internal users

1. Log in to the Atlassian administrator portal as an Atlassian Cloud organization admin.
2. Navigate to Security > User security > Identity providers.
3. Select the identity provider directory that you created for authentik.
4. Open Authentication policies.
5. Select Edit for the policy that should enforce SAML SSO.
6. Select Enforce single sign-on.
7. Click Update.

External users

1. Log in to the Atlassian administrator portal as an Atlassian Cloud organization admin.
2. Navigate to Security > User security > External users.
3. Click External user policy.
4. Under Authorization method, select Single sign-on.
5. Under Identity provider, select the identity provider directory that you created for authentik.
6. Click Update.

Configuration verification

Internal users

To confirm that authentik is properly configured with Atlassian Cloud for internal users, open an Atlassian Cloud app in a private or incognito browser window and log in with a managed account from a verified domain. You should be redirected to authentik and then back to Atlassian Cloud.

External users

To confirm that authentik is properly configured with Atlassian Cloud for external users, open an Atlassian Cloud app in a private or incognito browser window and log in with an external user account.

From the Atlassian Cloud dashboard, open an app such as Jira. You should be prompted to verify your identity, redirected to authentik, and then returned to the selected Atlassian Cloud app.

Resources

• Atlassian Support - Configure SAML single sign-on with an identity provider
• Atlassian Support - Connect an identity provider
• Atlassian Support - Available external user security policy settings