Trello (Atlassian)

This guide explains how to set up single sign-on (SSO) between SmartLink and Trello using SAML 2.0 via Atlassian Access.

Prerequisites

• Trello Enterprise subscription with Atlassian Access
• Administrative access to Atlassian Admin
• Domain verified in Atlassian
• Application configured in SmartLink with SAML2

Note: SSO for Trello requires Atlassian Access, only available with Enterprise plans.

Configuration in SmartLink

1. Create the application

1. Log in to SmartLink as an administrator
2. Go to Applications → Add
3. Create a new application:
   • Name: Trello
   • URL: https://trello.com
   • Description: Project management and collaboration
   • Icon: Choose the Trello icon

2. Configure SAML2

1. In the Authentication tab
2. Select SAML2
3. Configure the following parameters:
   • Entity ID: https://[your-smartlink].link.vaultys.org/[appid]
   • ACS URL: https://auth.atlassian.com/login/callback
   • Format NameID: emailAddress
   • App ID: [appid] (automatically generated unique identifier)

3. Retrieve the metadata

Note the following URLs:

• IdP Metadata: https://[your-smartlink].link.vaultys.org/api/saml2/[appid]/metadata
• SSO URL: https://[your-smartlink].link.vaultys.org/api/saml2/sso/[appid]
• SLO URL: https://[your-smartlink].link.vaultys.org/api/saml2/slo/[appid]
• X.509 Certificate: Download from SmartLink

Configuration in Atlassian Access

1. Access Atlassian Admin

1. Log in to admin.atlassian.com
2. Select your organization
3. Go to Security → Identity providers

2. Add a SAML identity provider

1. Click on Add identity provider
2. Select SAML single sign-on
3. Configure the identity provider information:

Manual Configuration

• Identity provider Entity ID: [appid]
• SSO URL: https://[your-smartlink].link.vaultys.org/api/saml2/sso/[appid]
• Public x509 certificate: Paste the certificate from SmartLink

Or via Metadata URL

• Import from metadata URL: https://[your-smartlink].link.vaultys.org/api/saml2/[appid]/metadata

3. Configure SAML attributes

Configure the attribute mapping:

<AttributeStatement>
    <Attribute Name="email">
        <AttributeValue>user.email</AttributeValue>
    </Attribute>
    <Attribute Name="displayName">
        <AttributeValue>user.displayName</AttributeValue>
    </Attribute>
    <Attribute Name="firstName">
        <AttributeValue>user.firstName</AttributeValue>
    </Attribute>
    <Attribute Name="lastName">
        <AttributeValue>user.lastName</AttributeValue>
    </Attribute>
</AttributeStatement>

4. Domain configuration

1. In Domains, add your enterprise domain
2. Verify the domain via DNS (TXT record)
3. Enable Enforce SSO for this domain

5. User assignment

1. In Users, configure:
   • Auto-provisioning: Enabled
   • Just-in-time provisioning: Enabled
   • Update user details on login: Enabled

Group and permission configuration

Group synchronization

In SmartLink, configure SAML assertions to include groups:

<Attribute Name="groups">
    <AttributeValue>smartlink-trello-admins</AttributeValue>
    <AttributeValue>smartlink-trello-users</AttributeValue>
</Attribute>

Trello permission mapping

In Atlassian Access:

1. Directory → Groups
2. Create mappings:
   • smartlink-trello-admins → Workspace Admin
   • smartlink-trello-users → Normal User
   • smartlink-trello-guests → Guest User

Workspace configuration

To automatically assign users to the correct workspaces:

1. Products → Trello
2. Workspace access
3. Configure access by group

Security policy configuration

Session and authentication

1. In Atlassian Access → Policies
2. Configure:
   • Session duration: 8 hours
   • Require re-authentication: After 30 days
   • Mobile session: 90 days

IP restrictions (optional)

{
  "ip_allowlist": [
    "203.0.113.0/24",
    "198.51.100.0/24"
  ],
  "enforce_for_admins": true
}

Configuration testing

1. Connection test

1. Open a private browsing window
2. Go to trello.com/login
3. Enter your company email
4. You should be redirected to SmartLink
5. Authenticate with your SmartLink credentials
6. You should be logged in to Trello

2. Test with the mobile application

1. Open the Trello mobile application
2. Tap on Log in
3. Enter your company email
4. The application opens a browser for authentication
5. After logging in, you are redirected to the application

3. Permission verification

# Via the Trello API
curl -X GET "https://api.trello.com/1/members/me" \
  -H "Authorization: OAuth oauth_consumer_key=\"{key}\", oauth_token=\"{token}\""

Integration with Power-Ups

Power-Ups configuration with SSO

For custom Power-Ups using authentication:

// Power-Up configuration with SSO
const t = window.TrelloPowerUp.iframe();

t.authorize({
  url: 'https://[your-smartlink].link.vaultys.org/api/oidc/[appid]/authorize',
  clientId: 'trello-powerup-xxxxxx',
  scope: 'read,write',
  expiration: '30days',
  name: 'My Power-Up'
});

Automation with Butler

Butler configuration with SSO

Butler automations continue to work with SSO. For custom commands:

when a card is moved to list "Done" by anyone,
post comment "@{username} has completed this task"

Troubleshooting

Error "SAML response validation failed"

Issue: The SAML response is not valid

Solution:

1. Check the X.509 certificate
2. Ensure the Entity ID matches in SmartLink: [appid]
3. Check the logs in Atlassian Admin:
   • Security → Authentication log

Error "User not found in directory"

Issue: The user is not provisioned

Solution:

1. Verify that the email domain is verified
2. Enable Just-in-time provisioning
3. Check the email attribute in the SAML assertion

Groups are not synchronized

Issue: Group permissions are not applied

Solution:

1. Check the format of the groups attribute in the SAML assertion
2. In Atlassian Access, check Directory → Groups
3. Ensure group names match exactly

Error on mobile "Authentication failed"

Issue: Authentication fails on the mobile application

Solution:

1. Ensure the SSL certificate is valid
2. Verify that the callback URL is allowed
3. Try logging out completely and logging back in

Security

Recommendations

1. Enforce SSO: Activate SSO for all users
2. Domain verification: Verify all your enterprise domains
3. Session management: Configure appropriate session durations
4. Audit logs: Regularly monitor authentication logs
5. API tokens: Manage API tokens separately from SSO

Compliance configuration

{
  "compliance_settings": {
    "data_residency": "EU",
    "encryption_at_rest": true,
    "audit_log_retention": "365 days",
    "gdpr_compliant": true
  }
}

Backup and recovery

In case of issues with SSO:

1. Administrators can use the recovery email
2. Atlassian Access maintains emergency access
3. API tokens remain valid regardless of SSO

Integration with other Atlassian products

Jira and Confluence

The same SSO configuration automatically applies to:

• Jira Software/Service Management
• Confluence
• Bitbucket
• Opsgenie

Unified configuration

atlassian_products:
  - trello:
      enabled: true
      default_workspace: "enterprise"
  - jira:
      enabled: true
      default_project: "PROJ"
  - confluence:
      enabled: true
      default_space: "DOCS"

Migration of existing users

Migration script

# Script to migrate users to SSO
import requests

def migrate_users_to_sso(domain):
    # Get all users
    users = get_all_users(domain)
    
    for user in users:
        if user['email'].endswith(f'@{domain}'):
            # Enable SSO for the user
            enable_sso_for_user(user['id'])
            # Send migration email notification
            send_migration_email(user['email'])

Resources

• Atlassian Access Documentation
• Trello Enterprise Guide
• Trello API
• SmartLink SAML Configuration
• Atlassian Community Forum