Integrations · OIDC

Jira & Confluence SSO

Configure OpenID Connect SSO for Atlassian Jira Software and Confluence Data Center using the Atlassian SSO for Jira and Confluence (SAML/OIDC) plugin or the built-in SSO in Data Center editions. A single Clavex client registration covers both products when they share the same Crowd user directory.

Data Center vs Cloud: This guide covers Jira/Confluence Data Center (self-managed). For Atlassian Cloud, SSO is configured at the organization level via admin.atlassian.com and uses SAML — see the Azure AD SAML guide as a reference.

Prerequisites

Jira Data Center ≥ 8.x and/or Confluence Data Center ≥ 7.x
The miniOrange SAML/OIDC or resolution SAML SSO Marketplace plugin — OR — the built-in Jira DC SSO plugin (≥ Jira 9.4)
Jira/Confluence admin access
Clavex at https://id.acme.eu, org slug acme

Step 1 — Register OIDC Client in Clavex

One client covers both Jira and Confluence if they run on the same domain or if you add multiple redirect URIs:

Admin API (curl)

$ curl -X POST https://id.acme.eu/api/v1/organizations/acme/clients \ -H 'Authorization: Bearer $ADMIN_TOKEN' \ -H 'Content-Type: application/json' \ -d '{ "client_id": "atlassian", "client_name": "Jira + Confluence", "grant_types": ["authorization_code", "refresh_token"], "redirect_uris": [ "https://jira.acme.eu/plugins/servlet/oidc/callback", "https://confluence.acme.eu/plugins/servlet/oidc/callback" ], "scopes": ["openid", "profile", "email", "groups"], "token_endpoint_auth_method": "client_secret_post" }'

Step 2 — Configure SSO Plugin (miniOrange)

Install miniOrange OAuth/OIDC Single Sign On from Atlassian Marketplace
Go to Jira Administration → miniOrange SSO → Configure OIDC

Select Custom OIDC and enter:

Field	Value
Display Name	`Sign in with Clavex`
Client ID	`atlassian`
Client Secret	`cs_xxxxxxxxxxxxxxxx`
Discovery Endpoint	`https://id.acme.eu/acme/.well-known/openid-configuration`
Scope	`openid profile email groups`
Username Attribute	`preferred_username`
Email Attribute	`email`
First Name Attribute	`given_name`
Last Name Attribute	`family_name`
Group Attribute	`groups`

Repeat for Confluence (use the same client ID and secret)

Step 3 — Attribute Mapping and Group Sync

In the miniOrange plugin, configure Group Mapping:

Clavex group claim value	Jira group / Confluence space
`jira-administrators`	Jira group: `jira-administrators`
`jira-software-users`	Jira group: `jira-software-users`
`confluence-users`	Confluence group: `confluence-users`

Step 4 — Built-in Jira DC SSO (Jira 9.4+)

If using the built-in SSO in Jira Data Center ≥ 9.4, configure via jira-config.properties:

jira-config.properties

jira.sso.oidc.enabled=true jira.sso.oidc.issuer=https://id.acme.eu/acme jira.sso.oidc.clientId=atlassian jira.sso.oidc.clientSecret=cs_xxxxxxxxxxxxxxxx jira.sso.oidc.scope=openid profile email groups jira.sso.oidc.usernameAttribute=preferred_username

Troubleshooting

Symptom	Cause	Fix
Users can't log in after SSO enabled	Plugin not configured for application access	In Jira → User Management → Application Access, ensure SSO users have application access
Groups not syncing from Clavex	Group attribute not mapped correctly	Verify `groups` scope is requested and Clavex groups match exactly the Jira group names
Plugin redirect fails with 400	Redirect URI not registered for the application	Add the app's plugin callback URL to Clavex client `redirect_uris`
Avatar or display name not updated	User already exists with stale data	Enable Update user attributes on every login in the plugin settings