This diagram illustrates how identity provider-initiated SAML 2.0 SSO works for the users of Jira Align:
- The user browses to the organization's portal and selects the option to go to Jira Align. In your organization, the portal is typically a function of your identity provider (IdP) that handles the exchange of trust between your organization and Jira Align. For example, in Active Directory Federation Services, the portal URL is: https://ADFSServiceName/adfs/ls/IdpInitiatedSignOn.aspx
- The portal verifies the user's identity in your organization.
- The IdP portal generates a SAML authentication response that includes assertions that identify the user and include attributes about the user. The portal sends this response to the client browser.
- The client browser posts the SAML assertion to Jira Align's single sign-on endpoint, for SaaS this is typically https://CUSTOMERNAME.agilecraft.com.
- Jira Align will validate that both the SAML Response and the SAML assertion are signed and read the value for the NameID attribute from the SAML assertion to look up an existing Jira Align user by their email or their External ID field. If a matching user is found, the system will log them in. If no matching user is found or if the SAML validation fails, then Jira Align will display an error message with the cause of the failure.