Setup & Configuration
For the impatient: Plugin Setup with Keycloak
Add the steps involved:
Download the add-on from the marketplace or install the OBR file with the Universal Plugin Manager (UPM).
Once the add-on is installed, add your license.
Create a client in Keycloak (→ OpenID Connect Client Creation in Keycloak).
Go to the Preconfigured Providers configuration screen of the add-on, enter the Keycloak Base URL, Realm, Client ID and optionally Client Secret.
Check that Keycloak was discovered successfully.
Copy and/or remember the Emergency Access URL (from tab Emergency Access).
Activate the plugin by setting Enable/Disable to optional or always and saving – that´s it.
Preamble / Preface
All configurations described and shown here are working in the same way in our plugins for Confluence, Jira and Bitbucket (they share the same code base).
The configurations have been extensively tested against Keycloak (http://www.keycloak.org) as the OpenID Connect provider. Other OpenID Connect compliant providers should work for basic functionality, but a provider with JWT access tokens is required to use the group synchronisation feature of the plugin (Update Group Memberships; see User Creation & Group Management).
Visual setup and configuration guide
General Settings screen
Setting | Description |
---|---|
Graphical Interface SSO | Enables or disables the login functionality of the plugin for the application UI: always: Whenever you navigate to Confluence/Jira/Bitbucket and there is no local user session (when you're not logged in), the plugin will redirect to your configured OpenID-connect provider in order to get you logged in. WARNING: Setting this option to always does not guarantee that no local logins can be used. There are ways to circumvent SSO even with this setting. Always make sure that there are no weak username/password combinations for local accounts. WARNING: We recommend to copy and save the Emergency Access URL from tab Emergency Access before you activate the plugin in always mode. Otherwise you might lock yourself out of Jira/Confluence/Bitbucket. optional: This option enables the users to choose between local Jira/Confluence/Bitbucket login and using the OpenID-connect provider for authentication. Selecting this is recommended when you want local users not registered with the OpenID-connect provider as well as centrally managed users to log in. disabled: Selecting this will completely disable the login functionality of the plugin and fall back to Jira/Confluence/Bitbucket local login. |
Automatic Login | This optional enables or disables the automatic login of users: force login: Enabling this requires all users to log in via OpenID Connect SSO as soon as they visit the application. This is useful for scenario where your Confluence/Jira/Bitbucket instance should only be used by authenticated users. Please note that this prevents anonymous access to the application. attempt automatic login: This option enables automatic login of users already authenticated with the OpenID Connect provider. Upon visiting the application users who are already logged in will be logged into Confluence/Jira/Bitbucket as well. deactivate: This disables any auto-login functionality. |
REST SSO | Enabling this option causes authentications on the |
Disable WebSudo | This option disables the WebSudo protection mechanism for users logged in via OpenID Connect. This should only be enabled if you want Jira/Confluence/Bitbucket administrator accounts to be created by the plugin and prevent the local password prompt before performing administrative actions. In all other cases this option should remain disabled. |
Issuer | The OpenID-connect issuer URL of your provider ( You can validate this URL by checking WARNING: It is strongly recommended to use |
Discover Provider | With this magic button the plugin discovers all relevant configuration data from your OpenID-connect provider (by using the .well-known config mentioned above). Normally with discovery all necessary settings in the Advanced Settings tab will be configured for you and it won't be necessary to change them manually. |
Client ID | This plugin is an OpenID-connect client. In order to use the plugin you have to create a client in Keycloak (→ OpenID Connect Client Creation in Keycloak) or the OpenID-connect provider of your choice. You may also choose to create a confidential client (with a client secret) to protect the access to the provider. |
Client Secret | If you chose to create a confidential client, the client secret has to be entered here. Otherwise the plugin will not be able to use the OpenID-connect provider. |
SSO Button Text | With this option you can choose the text to be displayed on the SSO buttons visible in the Jira/Confluence/Bitbucket login forms. |
Logout Redirect URL | This is the URL where your browser will be redirected after logging out. This can be any landing page, login page, etc.. If this URL is not specified, the user will be redirected to the Jira/Confluence main page after logout. |
Update User Info | When checked, the information for existing users will be updated on login. This currently includes the full name and email. The plugin will use the name and email claims in the ID token for these. If you want to use different fields in Keycloak to fill in these values see OpenID Connect Client Creation in Keycloak. |
Create User on Login | When checked, the plugin will add new users to Jira/Confluence when they log in for the first time. Groups will be set according to the Groups Claim or the Default Groups depending on your configuration (→ User Creation & Group Management) and the preferred_username, name and email claims in the ID token will be used as username, full name and email (→ OpenID Connect Client Creation in Keycloak). |
Preconfigured Providers
Since version 1.3.1 the plugin has a tab for preconfigured OpenID Connect providers covering Keycloak and Google ID as well as Azure Identity since version 1.3.3. These providers can be set up with a simple wizard helping you configure the plugin with the required settings.
Group Settings
Since version 1.4.3 the plugin has a separate tab for group synchronisation settings. Here you can configure the default groups to add users to on creation or determine a claim in the access token from which the groups for the group synchronisation will be extracted.
Setting | Description |
---|---|
Custom Groups Claim | With this option you can select the claim in the access token used for group synchronisation and user creation. The claim has to be a string array with the group names as elements. If the claim does not exist the list of groups is assumed to be empty. For the preconfigured Keycloak provider client roles will be used as groups. If this option is left blank the Default Groups are used for user creation and Update Group Memberships will be unavailable. WARNING: Setting a Custom Groups Claim requires the access token to be a JWT. Non-JWT access tokens will result in an error on login. Keycloak is an OpenID Connect provider that serves JWT access tokens. |
Update Group Memberships | When checked, the plugin synchronizes the groups from Keycloak and updates the group memberships of the user in Jira/Confluence/Bitbucket accordingly. For this the Custom Groups Claim option is used. If that option is left blank the Update Group Memberships option will be unavailable. In Keycloak you can use custom claims map general roles to Jira/Confluence/Bitbucket groups. For the setup see User Creation & Group Management. |
Create Groups | If enabled, groups given in Custom Groups Claim in the JWT access token that do not exist will be created. If disabled non-existent groups will be ignored. |
Default Groups | These groups (separated by comma) will be used as initial groups for users created by the plugin on login (→ Create User on Login) when the Custom Groups Claim option is left blank. It is without effect when a Custom Groups Claim is specified. Default Groups cannot be used for group synchronisation (→ Update Group Memberships). |
Additional Groups | Does apply if certain groups are to be mapped to a user and the Custom Groups Claim is not present in the JWT access token. |
Require Group Memberships | Enabling this option causes the creation of new users without any group memberships to be rejected. This applies to the groups from the access token Custom Groups Claim as well as the Default Groups described below. |
Advanced Settings screen
In the case that you use a modified Keycloak installation or any other SSO provider that does not support the .well-known
OpenID-connect configuration endpoint, you can set your OpenID-connect endpoints here.
For a deeper explanation of these endpoints we recommend reading the specification at https://openid.net/specs/openid-connect-core-1_0.html.
Emergency Access
This screen is quite simple but very powerful. In case you misconfigured your OpenID-connect provider settings and will not be able to get a valid login, you can deactivate the plugin with the Emergency Disable URL. You should therefore copy and save this URL in a secure location.