Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

CASB SAML proxy integration with Forgerock IdP and Atlassian apps (Jira, confluence, bitbucket)

  1. Last updated
  2. Save as PDF

This guide will assist you to setup the SAML proxy integration between Forgerock IdP, Atlassian apps (Jira, confluence, bitbucket) and Skyhigh Cloud Reverse proxy.

 

Pre-requisites:

 

1.     Skyhigh cloud reverse proxy is enabled for Atlassian apps

2.     Functioning IdP with a valid SSL certificate and DNS resolvable hostname

3.     Single Sign on working setup without Skyhigh cloud reverse proxy (Atlassian apps and Forgerock IdP direct SSO)

 

(DO NOT PROCEED IF THE DIRECT CONNECTION BETWEEN FORGEROCK AND ATLASSIAN APP IS NOT WORKING)

 

Three steps are required to successfully integrate CASB reverse proxy with Forgerock IdP and Atlassian apps

 

1.     Skyhigh Dashboard configuration

2.     IdP configuration (changes to be applied on Forgerock IdP SSO configuration)

3.     CSP configuration (changes to be applied on Atlassian apps SSO configuration)

 

Step1: Skyhigh Dashboard configuration steps:

 

1.    Configure a custom app in Skyhigh dashboard and map any one activity using custom app plugin (example: login activity)

2.    Go to Service management section and select the name of the custom app.

3.    Click on the properties and add the below properties as shown in picture

clipboard_ede2bc94c44acdc05eb5772a09afac6ce.png

4.    Click setup > continue > Then Edit on configure SAML

clipboard_e74590ec0fd5a45750c204c1e0190acec.png

5.    Upload the Forgerock IdP Signing certificate received from IdP team then Next

clipboard_e5ba06cb992ebf7feeae3e37c033eab3b.png

6.    Upload the SP certificate received from application team (Atlassian)

clipboard_e1fb95eff8f4fcc209b7f5d191743c711.png

7.    Click Next

8.    Download proxy certificate (This will be used in Atlassian app for SAML integration)

clipboard_e84d3af7bbfd1170be5636de46069cd54.png

Step2: IdP configuration (Forgerock IdP)

 

1.    We need to modify the ACS url with our reverse proxy hostname.

2.    We need to modify the entityID value with our reverse proxy hostname.

3.    This can be done by modifying the IdP profile xml file on Forgerock IdP configuration.

 

Ex: Reverseproxy hostname: jira.jiraprod.customertenant.myshn.net

 

Actual endpoint url (or ACS url):

https://jira.abc.com/jira/plugins/servlet/saml/auth

 

Modified endpoint url to be changed on IdP (or ACS url):

https://jira.abc.com.jira.jiraprod.customertenant.myshn.net/jira/plugins/servlet/saml/auth?shnsaml

 

Actual Entity ID:

https://jira.abc.com/jira

Modified Entity ID to be changed on IdP:

https://jira.abc.com.jira.jiraprod.customertenant.myshn.net/jira

 

Same steps can be applied for other Atlassian apps.

 

Step3: CSP configuration (Atlassian apps):

 

1.    Login in to Atlassian apps and navigate to Single Sign on configuration.

2.    We need to update the Single Sign on URL with the proxy hostname.

3.    We need to update the IdP certificate with the CASB reverse proxy certificate (downloaded in step1).

Actual single signon url:

https://mylogin.abc.com/am/SSOPOST/metaAlias/customername/idpentityid

clipboard_e1c2d869ebb7b2d9c462ad8d7d9092d9c.png 

Modified single signon url to be updated on CSP:

Ex: Reverseproxy hostname: jira.jiraprod.customertenant.myshn.net

https://jira.jiraprosd.customertenant.myshn.net/domain-access?shnsaml-request=<urlencodedvalueofactualsinglesignonurl>

https://jira.jiraprosd.customertenant.myshn.net/domain-access?shnsaml-request=https%3A%2F%2Fmylogin.abc.com%2Fam%2FSSOPOST%2FmetaAlias%2Fcustomername%2Fidpentityid

clipboard_e81284cd5d6ae77142d59b501aa196835.png

 

4. Replace the IdP certificate with the proxy certificate.

clipboard_e10637361766cbc83b25b619e636f544e.png

5. Save the changes.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Classifications
    This page has no classifications.
  2. Tags
    This page has no tags.