Graphical Interface SSO

Enables or disables the login functionality of the plugin for the application UI:

always: Whenever you navigate to Confluence/Jira/Bitbucket and there is no local user session (when you're not logged in), the plugin will redirect to your configured OpenID-connect provider in order to get you logged in.

WARNING: Setting this option to always does not guarantee that no local logins can be used. There are ways to circumvent SSO even with this setting. Always make sure that there are no weak username/password combinations for local accounts.

WARNING: We recommend to copy and save the Emergency Access URL from tab Emergency Access before you activate the plugin in always mode. Otherwise you might lock yourself out of Jira/Confluence/Bitbucket.

optional: This option enables the users to choose between local Jira/Confluence/Bitbucket login and using the OpenID-connect provider for authentication. Selecting this is recommended when you want local users not registered with the OpenID-connect provider as well as centrally managed users to log in.

disabled: Selecting this will completely disable the login functionality of the plugin and fall back to Jira/Confluence/Bitbucket local login.

Automatic Login

This optional enables or disables the automatic login of users:

force login: Enabling this requires all users to log in via OpenID Connect SSO as soon as they visit the application. This is useful for scenario where your Confluence/Jira/Bitbucket instance should only be used by authenticated users. Please note that this prevents anonymous access to the application.

attempt automatic login: This option enables automatic login of users already authenticated with the OpenID Connect provider. Upon visiting the application users who are already logged in will be logged into Confluence/Jira/Bitbucket as well.

deactivate: This disables any auto-login functionality.

REST SSO

Enabling this option causes authentications on the /rest/* endpoints of Jira/Confluence/Bitbucket to be authenticated against the OpenID Connect provider. This method allows REST client to use SSO credentials. The available authentication methods are HTTP Basic Auth and os_username/os_password GET/POST parameters. See REST clients & authentication for setup instructions, possible problems and risks.

Disable WebSudo

This option disables the WebSudo protection mechanism for users logged in via OpenID Connect. This should only be enabled if you want Jira/Confluence/Bitbucket administrator accounts to be created by the plugin and prevent the local password prompt before performing administrative actions. In all other cases this option should remain disabled.

Issuer

The OpenID-connect issuer URL of your provider (http or https).
For Keycloak this would be http[s]://<kcserver>:<kcport>/auth/realms/<RealmName>.

You can validate this URL by checking http[s]://<kcserver>:<kcport>/auth/realms/<RealmName>/.well-known/openid-configuration. This URL displays a JSON configuration file that represents the OpenID-connect configuration of your realm. If you can't see this page, your discovery won't work either.

WARNING: It is strongly recommended to use https to secure the communication between the plugin and the OpenID-connect provider. Otherwise attackers might be able to change the configuration.

Discover Provider

With this magic button the plugin discovers all relevant configuration data from your OpenID-connect provider (by using the .well-known config mentioned above). Normally with discovery all necessary settings in the Advanced Settings tab will be configured for you and it won't be necessary to change them manually.

Client ID

This plugin is an OpenID-connect client. In order to use the plugin you have to create a client in Keycloak (→ OpenID Connect Client Creation in Keycloak) or the OpenID-connect provider of your choice. You may also choose to create a confidential client (with a client secret) to protect the access to the provider.

Client Secret

If you chose to create a confidential client, the client secret has to be entered here. Otherwise the plugin will not be able to use the OpenID-connect provider.

SSO Button Text

With this option you can choose the text to be displayed on the SSO buttons visible in the Jira/Confluence/Bitbucket login forms.

Logout Redirect URL

This is the URL where your browser will be redirected after logging out. This can be any landing page, login page, etc.. If this URL is not specified, the user will be redirected to the Jira/Confluence main page after logout.

Update User Info

When checked, the information for existing users will be updated on login. This currently includes the full name and email. The plugin will use the name and email claims in the ID token for these. If you want to use different fields in Keycloak to fill in these values see OpenID Connect Client Creation in Keycloak.

Create User on Login

When checked, the plugin will add new users to Jira/Confluence when they log in for the first time. Groups will be set according to the Groups Claim or the Default Groups depending on your configuration (→ User Creation & Group Management) and the preferred_username, name and email claims in the ID token will be used as username, full name and email (→ OpenID Connect Client Creation in Keycloak).

Custom Groups Claim

With this option you can select the claim in the access token used for group synchronisation and user creation. The claim has to be a string array with the group names as elements. If the claim does not exist the list of groups is assumed to be empty. For the preconfigured Keycloak provider client roles will be used as groups.

If this option is left blank the Default Groups are used for user creation and Update Group Memberships will be unavailable.

WARNING: Setting a Custom Groups Claim requires the access token to be a JWT. Non-JWT access tokens will result in an error on login. Keycloak is an OpenID Connect provider that serves JWT access tokens.

Update Group Memberships

When checked, the plugin synchronizes the groups from Keycloak and updates the group memberships of the user in Jira/Confluence/Bitbucket accordingly. For this the Custom Groups Claim option is used. If that option is left blank the Update Group Memberships option will be unavailable.

In Keycloak you can use custom claims map general roles to Jira/Confluence/Bitbucket groups. For the setup see User Creation & Group Management.

Create Groups

If enabled, groups given in Custom Groups Claim in the JWT access token that do not exist will be created. If disabled non-existent groups will be ignored.

Default Groups

These groups (separated by comma) will be used as initial groups for users created by the plugin on login (→ Create User on Login) when the Custom Groups Claim option is left blank. It is without effect when a Custom Groups Claim is specified.

Default Groups cannot be used for group synchronisation (→ Update Group Memberships).

Additional Groups

Does apply if certain groups are to be mapped to a user and the Custom Groups Claim is not present in the JWT access token.

Require Group Memberships

Enabling this option causes the creation of new users without any group memberships to be rejected. This applies to the groups from the access token Custom Groups Claim as well as the Default Groups described below.