The Atlassian Cloud integration configures 1Kosmos as a SAML 2.0 identity provider through Atlassian Administration, applying biometric authentication across all products including Jira, Confluence, Bitbucket, and Statuspage for users on verified domains.
Integration type
SSO
Updated
Overview
1Kosmos integrates with Atlassian Cloud as a SAML 2.0 identity provider through Atlassian Administration (admin.atlassian.com). When configured, the SSO policy applies to all Atlassian Cloud products under the organization, including Jira, Confluence, Bitbucket, and Statuspage. Users on verified domains who attempt to sign in are redirected to 1Kosmos for biometric authentication and returned to their Atlassian session.
This configuration requires an Atlassian Guard Standard subscription (formerly Atlassian Access), a verified organization domain, and an identity provider directory linked to that domain. Once 1Kosmos is configured as the IdP, the SAML SSO policy is enforced through Atlassian's authentication policy settings, which allow gradual rollout by applying the policy to selected user groups before organization-wide enforcement.
Users must exist in the Atlassian organization before SSO is enforced. Atlassian supports just-in-time (JIT) provisioning, which automatically creates Atlassian accounts for users who authenticate through 1Kosmos for the first time, as long as their domain is linked to the IdP directory.
Prerequisites
Active 1Kosmos tenant: Community administrator access to the AdminX portal. Contact 1kosmos.com/contact if not yet provisioned.
Atlassian Guard Standard subscription: Required to configure SAML SSO in Atlassian Administration. Guard Standard is included with Atlassian Enterprise plans.
Atlassian organization with verified domain: At least one domain must be verified in Atlassian Administration before SSO can be configured. Accounts using email addresses from verified domains become managed by the organization.
Atlassian administrator fallback account: Create an admin account using an email address from an unverified domain before configuring SSO. This account will not be subject to the SAML policy and provides a fallback if SSO is misconfigured.
1Kosmos mobile app installed: Users must have the app on iOS or Android with biometrics enrolled before testing.
Configuration values
Values to collect from 1Kosmos AdminX (IdP) for Atlassian:
Field | Where to find it |
|---|---|
IdP SSO URL (Sign-On URL) | AdminX → Settings → IdP Configuration → Single SignOn Service URL |
IdP Entity ID | AdminX → Settings → IdP Configuration → Core Configuration |
Signing Certificate (x.509 PEM) | AdminX → Settings → IdP Configuration → View Certificate → Public Key |
Values to collect from Atlassian Administration (SP) for AdminX:
Field | Where to find it |
|---|---|
SP Entity ID (Audience URI) | Atlassian Administration → Security → Authentication policies → Set up SAML → SP Entity ID field |
ACS URL | Same SAML configuration screen; labeled Assertion Consumer Service URL |
Unique ID | The alphanumeric string at the end of the SP Entity ID (e.g., if Entity ID is https://auth.atlassian.com/saml/a1b2c3d4, the Unique ID is a1b2c3d4) |
Integration steps
Step 1: Create the fallback admin account
Before making any SSO changes, create an Atlassian account using an email address on a domain that is NOT verified in your Atlassian organization.
Grant this account system administrator rights. This account will bypass the SAML policy and allow recovery if SSO is misconfigured.
Step 2: Start the SAML configuration in Atlassian Administration
Log in to admin.atlassian.com and select your organization.
Navigate to Security → User security → Authentication policies.
Select or create the policy you want to configure SSO for and click Set up SAML single sign-on.
On the Add SAML details screen, copy the SP Entity ID and ACS URL values displayed. You will need these for AdminX. Click Next to proceed without saving SAML yet.
Step 3: Add Atlassian as a SAML application in AdminX
Log in to the AdminX portal and navigate to Applications → Add Application.
Scroll to Custom App, select SAML 2.0 Generic, and click Add integration.
Enter "Atlassian" as the Application Name, set Instance to Production, and enter
https://[your-subdomain].atlassian.netas the Application Access URL. Click Next.Set the NameID Format to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressand NameID Value toemail.Add claims mappings for
email(Username),firstname(first_name), andlastname(last_name). Click Next.Enter the Atlassian SP Entity ID as the Entity ID in AdminX, and the ACS URL as the Assertion Consumer Service URL with Method set to POST. Enable Assertion signing. Click Save.
Step 4: Enter 1Kosmos IdP details in Atlassian Administration
Return to the Atlassian SAML configuration screen in admin.atlassian.com.
Enter the 1Kosmos SSO URL in the Identity provider SSO URL field.
Enter the 1Kosmos Entity ID in the Identity provider Entity ID field.
Paste the 1Kosmos x.509 signing certificate into the Public x.509 certificate field.
Click Save configuration.
Step 5: Link a domain to the IdP directory
On the next screen, select the verified domain you want to associate with the 1Kosmos IdP directory.
Click Stop and save SAML to complete the configuration without immediately enforcing SSO.
Step 6: Enforce SSO in the authentication policy
Return to Security → Authentication policies and select the policy you configured.
Click Enforce single sign-on. This will require all managed users in this policy to authenticate through 1Kosmos.
To roll out gradually, apply the policy to a subset of users or a test group before enforcing organization-wide.
Step 7: Test the integration
Open an incognito browser window and navigate to your Atlassian product URL (e.g., your-org.atlassian.net).
Enter a managed user's email address. You will be redirected to the 1Kosmos login screen.
Open the 1Kosmos mobile app, scan the QR code, and complete biometric authentication.
Confirm the user is returned to the Atlassian product and has the correct access.
Attribute mappings
Source (1Kosmos) | Target (Atlassian) | Description |
|---|---|---|
user.email | NameID (emailAddress) | Primary SSO identifier; must match the managed Atlassian account email |
user.firstName | first_name | User first name |
user.lastName | last_name | User last name |
Integration notes
One SAML configuration in Atlassian Administration applies to all Atlassian Cloud products under the organization. You do not need to configure SSO separately for Jira and Confluence. Atlassian Guard Standard allows one identity provider per organization on the Standard tier; the Enterprise plan supports multiple identity providers. If JIT provisioning is needed, link your verified domain to the IdP directory after completing the SAML configuration. JIT provisioning creates Atlassian accounts automatically on first login but requires the domain to be linked before it takes effect.
