# Setting up MIRACL Trust SSO as an Identity Provider Within Bamboo

These instructions are up-to-date at the time of writing, but you should refer back to the Bamboo page on SAML IdP access to check for any changes. We cannot guarantee the accuracy of our SP-specific guidance.

  1. Visit Atlassian Marketplace to get SAML Single Sign-On for Bamboo (trial version):


  2. Sign up for an Evaluation License with your organisation name:


  3. Click on the Generate License button. A page is displayed with your license key.


  4. Click on the Download button. The file SAML4Bamboo-1.8.7.jar is downloaded to your default file location.

  5. Open your Atlassian application and log in.

  6. Navigate to the administration section. You may need to log in again (as administrator).

  7. Choose Add-Ons. The ‘Manage add-ons’ page is displayed.


  8. Click on the Upload add-on link and upload the jar file:


  9. Click on SAML Single Sign-On for Bamboo under ‘User-installed add-ons’.

  10. Select the add-on entry and copy and paste the license key into the license box for your add-on.

  11. Click on Configure in the ‘Settings’ menu. The following dialog box is displayed:


  12. Complete the fields as below:

    • Show the login Button - checked
    • Login Button Title - enter ‘Login using SAML IdP Server’
    • SAML Endpoint - auto-populated based on your Bamboo instance details
    • Identity Provider XML - copy and paste contents of http://<yourssoip>/metadata into the text box
    • SP Entity ID - URI of your Bamboo instance, same as first part of SAML Endpoint (before /plugins/servlet/saml/auth)
    • Max. Authentication Age - set to default of ‘7200’
    • Force SAML login - unchecked
    • Create User - unchecked
    • SAML User Id field - enter ‘NameID’
    • SAML User Name Field - enter ’name’
    • SAML User Email Field - enter ’email’
    • SAML User Groups Field - enter ’eduPersonAffiliation'
    • Default Usergroup(s) - enter the name of your default user group

    When changing the config of the add-on, it seems that the changes do not take effect until it is restarted or Bamboo itself is restarted. To restart the add-on, go to ‘Manage add-ons’ in the Bamboo admin settings screen. Choose, ‘Disable’, and then ‘Enable’. Note that configuration settings are not lost when the add-on is disabled.

# Configuring Your Bamboo Service Provider Profile With MIRACL Trust SSO

  1. Edit /etc/miracl-sso/service_providers/bamboo.yaml:

        description: Bamboo
        name: Bamboo
        relay_state: ""
        metadata: >-
          <?xml version="1.0" encoding="UTF-8"?>
          <!-- bamboo doesnt provide a link to download its sp metadata, so
                this is hand-crafted -->
          <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="">
            <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
              <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="" index="0"/>
        sign_response: true
        sign_assertion: false
        encrypt_assertion: false
        - search: ^([^@]+)@[^@]+$
          replace: $1
        - - email: ^[^@]$
          attribute: empty
  2. Note that the name under which the SP is registered in the sp section is used to create your IdP-initiated login url, i.e. https://<yourssoip>/login/bamboo.

  3. Update the SP login_url and logout_url entries with the correct information retrieved from Bamboo admin panel.

  4. Edit the metadata. Use the content from the example, but update the SP URL within entityID and location. These two items are http://<yourbamboospurl> and http://<yourbamboospurl>/plugins/servlet/saml/auth respectively.

    Note that, if you are using JSON format for your config file, the handcrafted metadata above must be saved as an xml file; then converted to a single line with the " characters escaped with \ to meet the json structure requirements. This can be achieved by running the following command on the e.g. metadata.xml file:

    echo -e "\n"$(cat metadata.xml | tr -d '\n' | sed -E 's/"/\\"/g')"\n"

    The contents then are output in the terminal in a format that can be pasted into the metadata field of a JSON file.

  5. Under user_id_transform, you’ll find a function that adjusts for a limitation within Bamboo in which email addresses are not allowed as usernames. The regex ‘search’ looks for the email address, and ‘replace’ with $1 means that only the first value - the email prefix - is used. So, for example, becomes john.smith.

  6. In the authorize subsection, you can control what users are allowed to attempt login by following one or both of the below steps:

    • Call up an LDAP setup from an ldap.yaml file stored in /etc/miracl-sso/integrations.
    • Configure a regex list of email addresses/domains. The above config shows an example of how you would use email: ^[^@]$" to only allow users from a certain email domain to login.

    Note that if this is not set correctly, you receive ‘unauthorized user’ messages.

    For more detailed info on using LDAP, API and/or regex to control authorized users, please see the authorization menu section.

  7. Save and close the file.

  8. In your /etc/miracl-sso/config.yaml file make sure you add bamboo.yaml to the list of includes:

      - core.yaml
    # service providers
      - service_providers/bamboo.yaml
  9. As always after config changes, restart the server.

  10. Now your service is configured, you can visit https://<yourssoip>/login/bamboo or https://<yourssoip>/services to log in to the service using IdP-initiated login, or visit the Bamboo login page and SP-initiated login are triggered automatically.

  11. You are able to login using the in-browser PIN pad or with the MIRACL Trust app. When logging in to your SSO service for the first time you are asked to register an email address so as to confirm your identity and register you as a user.