Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Bypass jira login

Hello 

I have a Jira running behind a web server, I implemented the saml SSO in the web server so I'm sure that the user is authenticated.

have you any idea how to bypass Jira login?

 

Thank you 

Regards

2 answers

You need a plugin on Jira side:

  • either a SAML one, hooked to the same SAML IdP as the web server; In this case SAML IdP is considered a trusted source and the app gives the username to Jira in "trust me, because I am running inside you, and I trust the IdP". Strictly speaking this will result in two authentication attempts, with the idea that when the app in Jira goes to the IdP the user is already authenticated at the IdP side, so the IdP will just immediately redirect back, without asking to re-login. However, if the IdP supports multiple identifies being logged in at the same time (e.g. Google) - on every trip to the IdP, the IdP will ask you "which one?", so this may not result in a completely transparent "bypass". Also in this picture, strictly speaking you don't need SAML SSO in the web server (I assume this is really "a reverse proxy") – you could have just implemented SAML in Jira only.
  • or something else that can integrate with the web server e.g. via HTTP Headers, so the reverse proxy uses SAML to identify the user, then passes the username to Jira in a header,  and the app retrieves it from there. Because in this case the proxy is configured as a trusted source, the app is able to just give the username to Jira in a "trust me, because I am running inside you and I trust the reverse proxy" manner. It's important that the system is configured in a way that this header cannot be injected by anyone else but the proxy.

Please consider trying our app EasySSO for Jira – we offer 5 authenticators, including SAML, HTTP Headers and X.509 – any of these 3 could be used to achieve what you are after.

Our support is 24x7 - please don't hesitate to reach out with the specifics of your reverse proxy and ask questions.

Hi @Ed Letifov _TechTime - New Zealand_ 

Thank you for your respense, about EasySSO, I have tried it, but the problem is that it force me to use it's own parametres and URL, so in my case I can not make the same configuration as the webserver, have you any idea how to use my own parametres?

 

 

Regards

@Firas hammami 

I suspect you meant that you have to configure your SAML IdP to talk to EasySSO via SAML effectively additionally to what you already have configured for your webserver/reverse proxy.

This is correct, as I said if you want to use SAML (with any SAML app not just EasySSO) you will have to integrate the app with your IdP, and effectively there will be two authentication requests to the IdP when a user attempts to login - one from the webserver, the other one from Jira.

This is why I said that technically you don't need SAML on the webserver, as both authentications are not related to each other, they simply take advantage of the fact that once logged in with IdP, the user won't have to re-enter credentials again.

In this case the webserver may still "be userful" e.g. apply some logic of letting the user access Jira or not at all based on their identity, effectively a firewall.

If you don't want to configure your IdP to talk to EasySSO, then you need to configure your proxy to talk to it using something else but SAML. While SAML is a standard, making your proxy to talk to EasySSO via HTTP Headers is something much less standard. One would need to know more details about your proxy etc.

Please don't post these here for security reason – instead proceed to our 24x7 support portal

Thank you, the problem is that in our company we must make any authentication in the webserver level, I don't have choice, that's why I want to skeep the Jira login since the user is already authenticated, I was thinking about forcing EasySSO to accept the same configuration that put in the webserver

So if you have both webserver AND jira integrated with your SAML IdP via SAML – you will still be making the authentication at the webserver level as per your company requirements.

Please run the solution by your Security Team. I can't see them rejecting it since it's actually MORE secure than what you have now (SAML on webserver but then still a login page on Jira). 

You can't force "the same configuration" on two different consumers (Service Providers) - this would be a security hole.

Please note, "the solution" I am describing is standard, it is not EasySSO-specific. You will have to do this with ANY SAML app.

Hi @Ed Letifov _TechTime - New Zealand_ 

 

Today I used easysso HEADERS, every thing works well, I passed the user id through the proxy and I'm sure (besause I used the same solution to pass user id through header to nexus)

in my apache I have this 

RequestHeader unset Authorization

RequestHeader set X-REMOTE-USER %{MELLON_uid}e env=MELLON_uid
#RequestHeader set X-WEBAUTH-USER %{MELLON_Password}e env=MELLON_Password
#RequestHeader set X-WEBAUTH-USER %{MELLON_username}e env=MELLON_username
RequestHeader set X-Forwarded-Proto "https"

 

in Jira plugin I puted  X-REMOTE-USER and I checked Get user name and Desable NTLM

 

I have always the login page of Jira 

 

Have you an idea about this please?

 

Regards 

@Firas hammami if you reach out to our 24x7 support you will get much better response time than trying to catch me personally here...

Please raise a ticket there and provide logs – most likely there is some mismatch. Does a user with username that equals the uid value in the header exist in Jira?

yes I'm sure that the uid exists, Jira runs behind an IHS server with Nexus an other tools, I get the SAML response and I extract the uid after that I pass the uid with header, I nexus it works. in the jira part I dont see a lot of configuration, 

0 votes

Hi @Firas hammami ,

You should be able to add a parameter to your url.

The URL to display the login page is: <BASE_URL>/login.jsp?auth_fallback but the admin needs to enable authentication fallback first. 

https://confluence.atlassian.com/jirakb/bypass-saml-authentication-for-jira-data-center-869009810.html

 

If you mean bypassing login as in anonymous..that's something completly different.

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Agile

Master the art of thinking big, working small: A conversation with John Cutler

Hello all! It has been 20 years since the agile manifesto was introduced, and closer to 40 years since software development began moving away from a waterfall-type approach. While many teams have ...

1,854 views 10 36
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you