Create or update users with data from a SAML response
!!! We are currently migrating this Cloud Instance to our own hosted Server instance !!!
Please follow this link to get to the content you wanted: https://wiki.resolution.de/x/FwDAAQ
Thanks for your understanding.
Starting with version 0.14, users can be created and updated during the SAML login process.
If a user is created by the plugin, this user is tagged in the directory. Only users with this tag are updated on following logins.
So if you have created the user within JIRA or the user comes from an LDAP-directory, the user is not updated if the data in the SAML response differs from the user data. This especially applies to group memberships. So if you need to change group memberships within JIRA, create the user locally.
Configuration
Set up your Identity Provider to deliver attributes for userid, email address, full name and optional group assignments in the reponse.
This is an example response for a user "camilla" with full name "Camilla the Chicken" and the email address "camilla@muppets.com":<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://jira7sd.lab.inserve.local/plugins/servlet/samlsso" ID="_2d7d3fe5-a2a1-45b5-93de-a39e27d7ff2d" InResponseTo="ldjedifipldjoefccdnlomjmlebmmieomblnfopn" IssueInstant="2016-02-11T22:01:28.284Z" Version="2.0"> <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://dc01.ad.lab.inserve.local/adfs/services/trust</Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_958e90f3-5d10-4d92-b376-45b9bb6db68d" IssueInstant="2016-02-11T22:01:28.284Z" Version="2.0"> <Issuer>http://dc01.ad.lab.inserve.local/adfs/services/trust</Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> ... </ds:Signature> <Subject> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData InResponseTo="enefpfnmgckjadiephjbdhacakigkiooonkonjgl" NotOnOrAfter="2016-02-11T22:27:46.519Z" Recipient="https://jira7sd.lab.inserve.local/plugins/servlet/samlsso"/> </SubjectConfirmation> </Subject> <Conditions NotBefore="2016-02-11T22:22:46.503Z" NotOnOrAfter="2016-02-11T23:22:46.503Z"> <AudienceRestriction> <Audience>https://jira7sd.lab.inserve.local/plugins/servlet/samlsso</Audience> </AudienceRestriction> </Conditions> <AttributeStatement> <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"> <AttributeValue>camilla</AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"> <AttributeValue>Camilla the Chicken</AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"> <AttributeValue>camilla@muppets.com</AttributeValue> </Attribute> </AttributeStatement> <AuthnStatement AuthnInstant="2016-02-11T21:43:25.002Z"> <AuthnContext> <AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef> </AuthnContext> </AuthnStatement> </Assertion> </samlp:Response>- Install the plugin
- Go to the plugin configuration page.
- Enter or select the SAML attribute names delivered by the IdP for Userid, Full Name, Email and Group. If you have imported metadata containing friendly names for these attributes, you can use the select boxes.
- Scroll down and check the "Create or update users"-checkbox.
Scroll down and flll the Groups-field with an appropriate group name (e.g. jira-core-users). Newly created users will always be assigned to this groups, no matter what groups are delivered by the IdP.
This field does not apply to JIRA Service Desk Customers
- Click Save.