When configuring an IDP, there are advanced settings available that allow for greater customization and control over the authentication and authorization process. Below are some of the features available in Advanced Settings for the SSO.
Allow User Creation : Enabling the "Allow User Creation" feature creates new users during the single sign-on login process. This is necessary because a user must already exist in Atlassian to be able to log in with SSO. When this feature is enabled, a new user is created if it doesn't exist through SSO.
[ Note : User creation will not work for read only directories by default, Learn more ]
User Directory : By selecting this option, administrators can specify a user directory to use when creating new users through SSO. If a user is not found in Jira after a successful SSO, a new user account will be created in the selected user directory. Additionally, a new directory can be created by clicking the "Create Directory" button.
Certificate Rollover : With this option, administrators can designate a metadata URL where the metadata certificate is regularly updated. The plugin will automatically check this URL and update the IDP certificate as needed. In addition, the miniOrange SAML SSO plugin is capable of periodically checking the metadata to ensure that it stays updated with any changes made on the IDP. Administrators can also choose a time interval after which the URL should be called through the SSO plugin.
Relay State : Relay State allows administrators to redirect users to a certain page/link after they successfully login with SSO. If administrators want to redirect users to a certain page/link page every time after SSO, they can select the Force Redirect option and provide the url in the input box. If no relay state is available, this option can be chosen to redirect the user after SSO to any page/link.
Validate IDP's SAML Response : This option permits slight variations in the SAML response time from the IDP to accommodate various time zones. Administrators can specify the number of minutes of permissible difference in response time. Any difference in timestamps beyond this value will be considered invalid.
Force Authentication : In traditional SSO procedure, When a user tries to log in to Service Provider (SP) and initiates the SSO flow, the user is redirected to the IDP. If the user already has an active session at the IDP, they are redirected back to the SP and logged in automatically. However, this can pose a security risk if the user's session has been compromised or if the IDP's session timeout is set too high. When Force Authentication is enabled, the user is prompted to login in the Identity Provider (IDP), even if they already have an active session at IDP. This adds an extra layer of security to your SSO flow and helps protect your resources from unauthorized access.
Passive SSO : Passive SSO provides a more streamlined SSO flow for users who already have an active session at the Identity Provider (IDP). With Passive SSO enabled, users are required to have an active IDP session prior to attempting an SSO login. Otherwise, the IDP will send a failed SAML response, and the authentication page will not be presented to the user. Passive SSO is particularly useful in situations where users need to quickly access protected resources without having to re-enter their login credentials. By requiring users to have an active IDP session, SAML SSO plugin can skip the authentication step and provide a more seamless SSO experience.
Custom SP Entity ID : Custom SP Entity ID is a feature that provides greater flexibility in configuring your Service Provider (SP) settings. By default, SP Entity ID is a unique identifier that identifies your SP in the SAML SSO flow. With the Custom SP Entity ID feature enabled, you can change your SP Entity ID to a customized URL of your choice. This feature is useful when you want to customize your SP settings to match your organization's branding or naming conventions. It also helps simplify the SAML SSO configuration process by allowing you to use a URL that is easy to remember and identify. To use the Custom SP Entity ID feature, simply enable the option in your SAML SSO plugin and enter the customized URL of your choice. The plugin will then generate a new SP Entity ID using your custom URL. This new SP Entity ID can be used in the SAML SSO flow to identify your SP, and it will be displayed in the SAML responses sent by the IDP.