Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Deleted user
0 / 0 points
Next:
badges earned

Your Points Tracker
Challenges
Leaderboard
  • Global
  • Feed

Badge for your thoughts?

You're enrolled in our new beta rewards program. Join our group to get the inside scoop and share your feedback.

Join group
Recognition
Give the gift of kudos
You have 0 kudos available to give
Who do you want to recognize?
Why do you want to recognize them?
Kudos
Great job appreciating your peers!
Check back soon to give more kudos.

Past Kudos Given
No kudos given
You haven't given any kudos yet. Share the love above and you'll see it here.

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Bypass jira login

Hello 

I have a Jira running behind a web server, I implemented the saml SSO in the web server so I'm sure that the user is authenticated.

have you any idea how to bypass Jira login?

 

Thank you 

Regards

2 answers

0 votes

Hi @Firas hammami ,

You should be able to add a parameter to your url.

The URL to display the login page is: <BASE_URL>/login.jsp?auth_fallback but the admin needs to enable authentication fallback first. 

https://confluence.atlassian.com/jirakb/bypass-saml-authentication-for-jira-data-center-869009810.html

 

If you mean bypassing login as in anonymous..that's something completly different.

You need a plugin on Jira side:

  • either a SAML one, hooked to the same SAML IdP as the web server; In this case SAML IdP is considered a trusted source and the app gives the username to Jira in "trust me, because I am running inside you, and I trust the IdP". Strictly speaking this will result in two authentication attempts, with the idea that when the app in Jira goes to the IdP the user is already authenticated at the IdP side, so the IdP will just immediately redirect back, without asking to re-login. However, if the IdP supports multiple identifies being logged in at the same time (e.g. Google) - on every trip to the IdP, the IdP will ask you "which one?", so this may not result in a completely transparent "bypass". Also in this picture, strictly speaking you don't need SAML SSO in the web server (I assume this is really "a reverse proxy") – you could have just implemented SAML in Jira only.
  • or something else that can integrate with the web server e.g. via HTTP Headers, so the reverse proxy uses SAML to identify the user, then passes the username to Jira in a header,  and the app retrieves it from there. Because in this case the proxy is configured as a trusted source, the app is able to just give the username to Jira in a "trust me, because I am running inside you and I trust the reverse proxy" manner. It's important that the system is configured in a way that this header cannot be injected by anyone else but the proxy.

Please consider trying our app EasySSO for Jira – we offer 5 authenticators, including SAML, HTTP Headers and X.509 – any of these 3 could be used to achieve what you are after.

Our support is 24x7 - please don't hesitate to reach out with the specifics of your reverse proxy and ask questions.

Hi @Ed Letifov _TechTime - New Zealand_ 

Thank you for your respense, about EasySSO, I have tried it, but the problem is that it force me to use it's own parametres and URL, so in my case I can not make the same configuration as the webserver, have you any idea how to use my own parametres?

 

 

Regards

@Firas hammami 

I suspect you meant that you have to configure your SAML IdP to talk to EasySSO via SAML effectively additionally to what you already have configured for your webserver/reverse proxy.

This is correct, as I said if you want to use SAML (with any SAML app not just EasySSO) you will have to integrate the app with your IdP, and effectively there will be two authentication requests to the IdP when a user attempts to login - one from the webserver, the other one from Jira.

This is why I said that technically you don't need SAML on the webserver, as both authentications are not related to each other, they simply take advantage of the fact that once logged in with IdP, the user won't have to re-enter credentials again.

In this case the webserver may still "be userful" e.g. apply some logic of letting the user access Jira or not at all based on their identity, effectively a firewall.

If you don't want to configure your IdP to talk to EasySSO, then you need to configure your proxy to talk to it using something else but SAML. While SAML is a standard, making your proxy to talk to EasySSO via HTTP Headers is something much less standard. One would need to know more details about your proxy etc.

Please don't post these here for security reason – instead proceed to our 24x7 support portal

Thank you, the problem is that in our company we must make any authentication in the webserver level, I don't have choice, that's why I want to skeep the Jira login since the user is already authenticated, I was thinking about forcing EasySSO to accept the same configuration that put in the webserver

So if you have both webserver AND jira integrated with your SAML IdP via SAML – you will still be making the authentication at the webserver level as per your company requirements.

Please run the solution by your Security Team. I can't see them rejecting it since it's actually MORE secure than what you have now (SAML on webserver but then still a login page on Jira). 

You can't force "the same configuration" on two different consumers (Service Providers) - this would be a security hole.

Please note, "the solution" I am describing is standard, it is not EasySSO-specific. You will have to do this with ANY SAML app.

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Agile

Join us LIVE: Atlassian & Experts Talk Research & Insights @ Scale

Hello all! What have you learned from your customers lately? Our live-streamed series continues by exploring CX, UX, and the power of research & insights at scale with Leisa Reichelt, Head of R...

346 views 3 7
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you