Configure RSA Cloud Authentication Service

1. Sign in to RSA Cloud Administration Console.
2. Click Authentication Clients > Relying Parties.

3. On the My Relying Parties page, click Add a Relying Party.

4. On the Relying Party Catalog page, click Add for Generic OIDC.
5. On the Basic Information page, enter the name for the Service Provider in the Name field.
6. Click Next Step.
7. On the Authentication page, choose SecurID Access manages all authentication.
8. In the Primary Authentication Method list, select your desired log in method as either Password or SecurID.
9. In the Access Policy list, select a policy that was previously configured.

10. Click Next Step.
11. Under Connection Profile, provide the following details:
    1. Authorization Server Issuer URL will be auto populated. This URL is used in the miniOrange configuration to form Authorize Endpoint URL, Token Endpoint URL and User Info Endpoint URL.
    2. Redirect URL will be Oauth Callback URL obtained from the miniOrange configuration.

3. Provide a Client ID.
4. Select Client Authentication Method as 'CLIENT_SECRET_BASIC'.
5. Provide a Client Secret or generate one by clicking Generate button.
6. Provide the scope as 'openid', 'profile', and 'email'. 

12. Click Save and Finish.
13. Click Publish Changes to save your settings. After publishing, your application will be enabled for SSO.

Notes

1. Navigate to Access > OIDC Settings > Scopes.
2. After adding all the desired scopes, click Save Settings.

Configure miniOrange Identity Broker

miniOrange as an Identity Provider

1. Log in to miniOrange admin console: https://login.xecurify.com/moas/login.
2. Go to Apps and click + Add Application.

3. In Choose Application Type, click Create App under the SAML/WS-FED application type.
4. Search for and select Atlassian Cloud (SAML) in the list. If it's not available, search for Custom and set up your application through Custom SAML App.
5. Enter the following values in the respective fields (you will receive these values after completing the Atlassian Cloud configuration).
   1. Custom Application Name: Provide any name.
   2. SP Entity ID or Issuer: You will receive this after configuring Atlassian Access App.
   3. Audience URI: Use the same value as SP Entity ID.
   4. ACS URL: You will receive this after configuring Atlassian Access App.

6. Ensure that Sign Response and Sign Assertion are both enabled.

7. Select the following values in the corresponding fields:
   1. Name ID: Select E-Mail Address.
   2. NameID Format: Select 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'.

8. Click Save.
9. Once the app is successfully created, select that app and then click Metadata to obtain the app’s metadata.
10. Since miniOrange is being used as a brokering service, go to Information required to authenticate via external IDPs section, and click Show Metadata Details.
11. After clicking Show Metadata Details, you will see the metadata details. You will need these details while configuring Atlassian Access App.

miniOrange as a Service Provider

1. Log in to miniOrange admin console: https://login.xecurify.com/moas/login.
2. From the left navigation bar, select Identity Providers, then click Add Identity Provider.
3. Select the OAuth 2.0 tab.
4. Enter the following values:
   1. IDP Name: Select Custom Provider.
   2. IDP Display Name: Choose any name.
   3. OAuth Callback URL: The callback URL obtained here is used in the RSA Cloud Authentication Service configuration.
   4. OAuth Authorize Endpoint: Use the Authorization Server Issuer URL obtained from the RSA Cloud Authentication Service + '/auth'. 
   5. OAuth Access Token Endpoint: Use the Authorization Server Issuer URL obtained from RSA Cloud Authentication Service + '/token'. 
   6. OAuth Get User Info Endpoint: Use the Authorization Server Issuer URL obtained from RSA Cloud Authentication Service + '/userinfo'.
   7. Client ID: Provide the client ID used in the RSA Cloud Authentication Service configuration.
   8. Client Secret: Provide the client secret used in the RSA Cloud Authentication Service configuration.
   9. Grant Type: Select Authorization Code Grant.

5. Ensure that Send client credentials in Header and Send Scope in Token Request both are both enabled.
6. Provide the Scope as openid profile email.

7. Click Save.

Configure Atlassian Cloud

Perform these steps to configure Atlassian Cloud:

1. Log in to Atlassian Cloud admin console: https://admin.atlassian.com/
2. Select your organization.

3. Navigate to the Security tab, select Identity providers from the left sidebar, and then click Choose on the Other provider section.
4. Enter any name in the Directory name field, then click Add.

5. Select Set up SAML single sign-on.

6. You will be redirected to the Add SAML details window. You can get these details from the metadata details section after configuring the miniOrange app:
   1. Identity provider Entity ID: This is the Identity provider Entity ID or Issuer obtained from the miniOrange Metadata.
   2. Identity provider SSO URL: This is the SAML Login URL obtained from the miniOrange Metadata.
   3. Public x509 certificate: Use the X.509 certificate obtained from the miniOrange Metadata.

7. Click Next.
8. Copy the displayed Service provider entity URL and Service provider assertion consumer service URL. You will need these details for configuring the miniOrange app.

9. To enable Single Sign-On (SSO) for managing user accounts, enter the desired domain name to link it with your identity provider. Click Next, then Save.

10. Set up the authentication policies by selecting Authentication policies from the left sidebar, then click Add policy.
11. Select a directory for your policy and enter the policy name.
12. Under Single sign-on, check the Enforce single sign-on checkbox.
13. Click the Members tab and click Add members.

14. Enter details and click Add Members. Single Sign On (SSO) will apply only to the added members.
15. When a user tries to log in to the Atlassian Cloud app, they will be redirected to RSA for authentication through the miniOrange broker.