Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

SSO not going straight to the app

SHiester
SHiester May 15, 2020

Hi,

 

I just got done setting up SAML SSO in Azure but when I go to our company's organization, I have to click sign in with Microsoft even tho I clicked Jira through myapplications.office.com. I followed the instructions in this document https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/atlassian-cloud-tutorial and I think the sign on URL is what's giving me problems.

 

Basically I am getting 2 atlassian verification page when I should only get 1. Any ideas?

Answer
Watch
Like # people like this
2977 views

2 answers

1 accepted

0 votes
Answer accepted
Ed Letifov _TechTime - New Zealand_
Ed Letifov _TechTime - New Zealand_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 15, 2020

If you, instead of clicking on the icon in the Azure portal, simply navigate to your atlassian cloud URL, then instead of clicking on sign in with Microsoft, type your email, as if you are going to use password credentials - what happens then? If you are not redirected to Azure then - your SAML SSO hasn't been setup correctly.

View More Comments
SHiester
SHiester May 15, 2020

When I type my email it says "opening single on" and works but Jira should also open in myapplications.microsoft.com when i click the tile. even when signed into our microsoft account it asks me to sign in my account again. any suggestions? thanks for the help as well!Screen Shot 2020-05-15 at 10.15.37 PM.jpg

Like
Ed Letifov _TechTime - New Zealand_
Ed Letifov _TechTime - New Zealand_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 15, 2020

So, SSO works when doing "SP-initiated" but not when doing "IdP-initiated"

Did you do step 4 here: https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/atlassian-cloud-tutorial#configure-azure-ad-sso

Atlassian document also mentions it: https://confluence.atlassian.com/cloud/saml-single-sign-on-943953302.html#SAMLsinglesign-on-1.AddtheAtlassianproducttoyouridentityprovider

"For identity provider initiated SAML, enter your organization's URL as the default relay state. Include https:// as part of your organization's URL."

Like
SHiester
SHiester May 15, 2020

We want SP-initiated mode, but we don't want the second id.atlassian.net verification page - we want it to go straight into the app.

Like
Ed Letifov _TechTime - New Zealand_
Ed Letifov _TechTime - New Zealand_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 15, 2020

"SP-initiated" is when you go to the application first, and once it realises that you are not yet logged in, it redirects you to the IdP to authenticate and then you are redirected back and you are logged in automatically (based on the response that the IdP sent)

If you go to your IdP first, login (if needed), click on the icon and you get redirected to Cloud and are logged in - that's IdP-initiated SSO

So, SP-initiated is you going to your Atlassian Cloud URL, if your cookie expired already, you get kicked out to the Cloud login page, you enter your email, you get redirected to the IdP, if you are already logged in there, you get redirected back immediately and you are in.

I am not sure what he "second id.atlassian.net verification page" means in this case.

Like THE WAR OF DESTINY likes this
SHiester
SHiester May 15, 2020

Thank you for the clarification!

 

The second verification page is the attached picture after clicking the launcher icon in our Microsoft applications page. Is it not supposed to launch right into Jira? Because right now users would have to log into microsoft, click jira then log in again.

Like THE WAR OF DESTINY likes this
SHiester
SHiester May 15, 2020

Screen Shot 2020-05-15 at 11.24.03 PM.jpg

Sorry here is the picture.

Like
Ed Letifov _TechTime - New Zealand_
Ed Letifov _TechTime - New Zealand_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 15, 2020

OK, can you confirm you've configured steps 4.c and 4.d

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/atlassian-cloud-tutorial#configure-azure-ad-sso

My understanding is that it shouldn't show the Atlassian Cloud login page again (which is what you see, as in the screenshot you've provided)

Beyond this I can only suggest to raise a request with Atlassian Support on support.atlassian.com 

Like
SHiester
SHiester May 16, 2020

Yes, I configured it. Just to confirm I inserted the correct info, would my relay state URL be the URL below Jira Software in the top picture?Screen Shot 2020-05-16 at 6.57.34 AM.jpgScreen Shot 2020-05-16 at 6.57.50 AM.jpg

Like
Ed Letifov _TechTime - New Zealand_
Ed Letifov _TechTime - New Zealand_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 16, 2020

Yes, this should be the URL. I suggest to reach to https://support.atlassian.com and describe your problem accordingly, that SP-initiated SSO works, but on IdP initiated one instead of getting Jira page - you get the Cloud login page again instead.

Like SHiester likes this
SHiester
SHiester May 17, 2020

Thanks for your help! I reached out to support. Just waiting for a response now.

Like
Dmitry Radzevich
Dmitry Radzevich
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
June 9, 2022

Hi @SHiester ,

sorry for digging out the old corpse, but we are facing exactly the same issue.

Have you managed to resolve it?

Like
Reply
0 votes
THE WAR OF DESTINY
THE WAR OF DESTINY
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
May 15, 2020

I have done quite a lot of tests on iOS 11 and at this point, I have come to the conclusion that the SFAS sometimes doesn't work as expected.

Here is what I have done:

  1. I cloned the example app from this repo
  2. I created 2 apps from it, both of them using Google as the IDP and I installed both apps on the device.
  3. I cleared all the web history and website data in Safari.
  4. I logged into app A using my google account, and make sure I can read the user profile info.
  5. I then tried to login to app B. When SFAS is opened, there is no my existing google account to pick and I was asked to login. For now, I cancel the login window.
  6. I go to Safari and go to myaccount.google.com. I can see that I didn't logged into google at all.
  7. Now, I open the app A again, and I try to authenticate again. This time when the SFAS is opened, I can see that my account is remembered and I can pick it and complete the login process.
  8. Now, if I go back to Safari, and refresh myaccount.google.com, I can suddenly see I am logged in in Safari
  9. If I go to app B again, this time I can see my current google account and login without enter the username and password again.

Step 7 doesn't always work, sometimes I have to enter my credentials again.

Have you guys come across anything similar before? I think in order to reproduce this, you have to make sure remove the existing cookies from Safari first. It looks like SFAS doesn't always sync the cookies from SFAS back to Safari.

I tried with Keycloak and I see the same behaviour. Sometimes the SFAS syncs the session back to Safari, and when this happens, the other apps can perform SSO. But sometimes this doesn't happen and SSO doesn't work in other apps.

This is not a bug with AppAuth itself, I just want to make sure I am not the only one seeing this issue. If this is the case, I think it should be documented the SSO doesn't always work.

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.