re:solution vs Atlassian Data Center SAML SSO

Spot Every Difference

resolution’s SAML SSO offers endless options to customize your configuration, while Atlassian’s preinstalled SSO is a one-size-fits-all.

But don’t take our word for it – the truth is in the details.

Use this guide to explore how you can solve your specific needs and make the best decision for your Data Center environments.

I cannot express enough how much I appreciate how much heavy lifting these scripts do, but our team is only 2 people, and we manage 6 prod instances completely end-to-end (Tier 1-4) for ~5000 users. You enable a tiny team to deliver big things.
Timothy Ryner, National Geospatial-Intelligence Agency

1. Setup

Guided Configuration

Easily configure your SAML SSO, guided by setup wizard
Identity Specific guides for major providers

Manual configuration only, without IdP specific guides

Setting up IdP via Metadata

Reload Metadata automatically based on a configurable interval to avoid interruptions due to expired certificates
SAML IdPs with HTTP POST and REDIRECT bindings are supported

Metadata is not supported
Certificates must be modified manually after expiration
Only SAML IdPs with HTTP POST binding are supported

Single Logout

Ability to logout user from IdP and other Applications when logging out of the Atlassian applications
Ability to honor logout requests from IdP when the user logged out of other application

Not supported
Logout only terminates the Atlassian session
Logging out from IdP or via IdP does not close the Atlassian applications (potential security risk)

2. Additional Login Protocols

OpenID Connect (OIDC)

Presets for the IdPs
Automatic metadata url
Fully compatible with User Sync Provisioning or Just in Time
Supports Single Logout

Metadata is fetched from the resource url
Only compatible with Just in Time provisioning

Social Login

With social login, big projects can be open to the public and anybody can join them using their existing social identities

Social logins with Atlassian Cloud, facebook, Linkedin, github, and Apple
OAuth2 logins can be connected
Enable Just in Time provisioning with a custom button

Not provided

3. User Provisioning

Choose User Creation & Update Method

3 methods for provisioning users:

Just-in-Time (JiT) Provisioning Creating the User based on values from the SAML-response during login.
User Sync-Connector Synchronize individual users as they login or synchronize entire directories ahead of time. Supports filtering options.
Hybrid – Update with the User Sync connector and apply SAML attributes Can combine the best of both worlds – information from User Sync & from the SAML response

Note: With any of these methods, user accounts in the Atlassian application can be searched by any attributes other than just Username (i.e., external ID or email address).

Read More

Update/Create a user with Just-in-Time provisioning
Search user account by Username only

Attribute mapping & transformation for users and groups

Map and match any IdP attribute to any local attribute into Confluence Profiles, including for example location or phone
Attributes can be modified ( “transformed”) according to rules i.e., domain names removed, attributes combined, alternatives chosen – custom logic with Groovy scripts is supported
Integrations with popular Apps like LinchPin User Profile, Scriptrunner, etc.
Distinguishes between users created with SAML and local users for JiT update
Choose the directory where new users should be stored

Only Display Name, EMail obtained from the SAML response during Just in Time(JiT) Provisioning.

No modifications or transformations are possible

Advanced Group Settings

Option to switch on/off automatic group creation & group membership removal
Assign default groups with a dropdown Menu
Configure Jira Service Desk Groups & Organisation

Groups are created and removed during login automatically (can’t be configured)
No user interface available, happens by default without being configurable

4. User Synchronization

User Synchronization

Further Examples (click to enlarge):

User Sync can synchronize users from multiple identity providers both ahead-of-time and on-schedule. It overcomes many limitations of “Just-in-Time” Provisioning and is the superior choice for many customers.

- User Name Transformation & Group Name Transformation
- Add attributes from the Identity Provider’s API and write them to the Atlassian Application’s fields or User Property values. Supports advanced mapping and transformation (see section 2)
- Configure how groups are sent from the IdP, and how to keep or overwrite local groups
- Easily write custom connectors to external cloud applications in Groovy
- Supports SCIM 2.0
- Synchronize Profile Pictures
- Sync large directories up to 20x faster with Server Side and Local Filtering. Applies when only a fraction of the cloud directories needs to be updated i.e., sync 3 of 100,000 groups in a 20,000 user instance.

Not supported

Groovy scripting

Further Examples (click to enlarge):

Transformations.
Examples:
– Remove special characters from the username
– SCIM: parse multiple attributes to find all email address that should be attached to that user
Add or remove attributes and groups based on conditions.
Example: Assign users to some local groups if they are member of some IdP group
Govern access control.
Example: Deny synchronization if the user seats exceed the current tier limit

Not supported

Sync simulations

Try out the results of a synchronization before actually running it
Visual flags by result per user

Not supported

Sync Result Browser (coming soon)

Further Examples (click to enlarge):

UI Viewer of any synchronization
Spot sync issues easily
UI substitute for the traditional JSON file containing every sync detail

Not supported

5. User Deactivation

Automatic User Deactivation

Combining Just-in-Time Provisioning with ‘Disable inactive user connector.’

Automatically deactivate multiple users
Automatically remove users from groups
Exclude members of specific groups from deactivation/ group removal
Filter users on last activity date and deactivate manually
Receive reports when users are deactivated

Manual user deactivation.

6. SSO Redirection

Regular Login On Demand

Enable Non-SSO (bypass SAML with a special link), for example for administration access
Unchecking the option disables password-based authentication
Redirection can be activated through both the user interface and REST requests

Redirection can be only activated with REST requests or database changes

SSO Redirection

Enable SSO redirections
Enable SSO redirections for Service Desk Customers
Define specific URLs that trigger SSO
Define specific URLs that do not trigger SSO
Define User-Agent headers that do not trigger SSO
Customizable buttons for redirection for each IdP configuration. I.e.: “Click here if you are a customer”, “Click here if you are contractor”

Enable SSO redirections
Enable SSO redirections for Service Desk Customers

7. Setup Identity Providers (IdP)

Configure Multiple IdPs and its User-Facing Content

Further Examples (click to enlarge):

Multiple IdPs can be configured in 4 ways to select IdP providers: choosing IdP by weight, by IdP selection page, by email address, by HTTP request headers. See examples above.
Fully customizable IdP Selection Page, using velocity templates to comply with corporate branding and improve user experience.
Provide customers flexibilities to handle scenarios, where some users need to login locally via Username/Passwords (e.g., Contractors) and others via one (or more) IdPs, some customers use > 100 IdPs.
Decide if you want to display buttons per IdP in the login page, and customize the button text if you want to.

When multiple IdPs are configured, they can only be selected by the user in the login page.
IdPs with an active toggle will be shown in the login page as an additional button.
The button text can be configured. No other customizations are possible.

8. Setup Service Provider

Signing and Encryption

Include Signing Certificate in Metadata
Include Encryption Certificate in Metadata
The plugin supports both signed authentication requests and encryption of assertions. The above settings allow those to be added to the metadata as well

Neither signed authentication requests nor encrypted SAML messages are supported

Want to stay upto date on the latest features for SAML SSO and how they compare to Atlassian’s built-in?

9. Advanced Settings

Remember-me Cookie

“Off” by default, but it can be activated if you need it

“On” by default (not an ideal security choice)

10. Customize User Facing Content

Setup Page Templates

All content our SSO app displayes to users is based on velocity templates. They can easily be adjusted via the app’s UI. For example:

IdP selection Page(s)
Error page
Logout page

Not supported

11. Export/Import Configuration

Reuse Existing Configuration

Export/import the configuration of an existing installation

Not supported

12. Support - Authentication Tracker

Debugging Tracker & In-app Support

Built-in Support facility – Authentication Tracker

History of all authentications in the last 48 hours
Usually, no separate logging is required – all usual debug/info messages, including SAML request & response are contained in an authentication tracker
Raise a support case straight from a tracker with the tracker & config being attached to the case

Not available

Book a call with our technical product experts

You want to see the apps in action. Perhaps you have started setting up the product and need help to better understand your options. Or maybe you need help configuring a complex scenario. Whatever the reason, our team will be happy to guide you.

Cookie	Duration	Description
_ga	1years 19days 23hours 59minutes	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_UA	1 minute	Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named `_dc_gtm_<property-id>`.
_gat_UA-44969175-9	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	23 hours 59 minutes	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
CONSENT	16 years 3 months 13 hours	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
b3e783bb62	session	This cookie is set by the provider Zoho. This cookie is used for collecting information on user interaction with the web-campaign content. This cookie helps the website owners to promote products and events on the CRM-campaign-platform.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_calendly_session	21 days	Store user preferences
_zcsr_tmp	session	Used for website security
1e5a17c8ab	session	No description available.
3eb9b21c5c	session	No description available.
4662279173	session	No description available.
AnalyticsSyncHistory	1 month	Used to store information about the time a sync with the lms_analytics cookie took place for users in the Designated Countries
cookielawinfo-checkbox-functional	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
d4bcc0a499	session	No description available.
li_gc	2 years	Used to store consent of guests regarding the use of cookies for non-essential purposes
m	2 years	No description available.
zft-sdc	12 hours	This cookie stores metadata ( entrances, source etc) of a session which is used by full tracking. (https://www.zoho.com/privacy/cookie-policy.html)
zps-tgr-dts	1 year	This cookie stores the session's metadata on your website.
zsc	30 minutes	Zoho Service Communication Key.

re:solution vs Atlassian Data Center SAML SSO

Spot Every Difference

1. Setup

Guided Configuration

Setting up IdP via Metadata

Single Logout

2. Additional Login Protocols

OpenID Connect (OIDC)

Social Login

3. User Provisioning

Choose User Creation & Update Method

Attribute mapping & transformation for users and groups

Advanced Group Settings

4. User Synchronization

User Synchronization

Groovy scripting

Sync simulations

Sync Result Browser (coming soon)

5. User Deactivation

Automatic User Deactivation

6. SSO Redirection

Regular Login On Demand

SSO Redirection

7. Setup Identity Providers (IdP)

Configure Multiple IdPs and its User-Facing Content

8. Setup Service Provider

Signing and Encryption

Want to stay upto date on the latest features for SAML SSO and how they compare to Atlassian’s built-in?

9. Advanced Settings

Remember-me Cookie

10. Customize User Facing Content

Setup Page Templates

11. Export/Import Configuration

Reuse Existing Configuration

12. Support - Authentication Tracker

Debugging Tracker & In-app Support

Book a call with our technical product experts

Don’t miss any news!