Bypass jira login

Hi @Ed Letifov _TechTime - New Zealand_ 

Thank you for your respense, about EasySSO, I have tried it, but the problem is that it force me to use it's own parametres and URL, so in my case I can not make the same configuration as the webserver, have you any idea how to use my own parametres?

Regards

@Firas hammami 

I suspect you meant that you have to configure your SAML IdP to talk to EasySSO via SAML effectively additionally to what you already have configured for your webserver/reverse proxy.

This is correct, as I said if you want to use SAML (with any SAML app not just EasySSO) you will have to integrate the app with your IdP, and effectively there will be two authentication requests to the IdP when a user attempts to login - one from the webserver, the other one from Jira.

This is why I said that technically you don't need SAML on the webserver, as both authentications are not related to each other, they simply take advantage of the fact that once logged in with IdP, the user won't have to re-enter credentials again.

In this case the webserver may still "be userful" e.g. apply some logic of letting the user access Jira or not at all based on their identity, effectively a firewall.

If you don't want to configure your IdP to talk to EasySSO, then you need to configure your proxy to talk to it using something else but SAML. While SAML is a standard, making your proxy to talk to EasySSO via HTTP Headers is something much less standard. One would need to know more details about your proxy etc.

Please don't post these here for security reason – instead proceed to our 24x7 support portal

Thank you, the problem is that in our company we must make any authentication in the webserver level, I don't have choice, that's why I want to skeep the Jira login since the user is already authenticated, I was thinking about forcing EasySSO to accept the same configuration that put in the webserver

So if you have both webserver AND jira integrated with your SAML IdP via SAML – you will still be making the authentication at the webserver level as per your company requirements.

Please run the solution by your Security Team. I can't see them rejecting it since it's actually MORE secure than what you have now (SAML on webserver but then still a login page on Jira). 

You can't force "the same configuration" on two different consumers (Service Providers) - this would be a security hole.

Please note, "the solution" I am describing is standard, it is not EasySSO-specific. You will have to do this with ANY SAML app.

Hi @Ed Letifov _TechTime - New Zealand_ 

Today I used easysso HEADERS, every thing works well, I passed the user id through the proxy and I'm sure (besause I used the same solution to pass user id through header to nexus)

in my apache I have this 

RequestHeader unset Authorization

RequestHeader set X-REMOTE-USER %{MELLON_uid}e env=MELLON_uid
#RequestHeader set X-WEBAUTH-USER %{MELLON_Password}e env=MELLON_Password
#RequestHeader set X-WEBAUTH-USER %{MELLON_username}e env=MELLON_username
RequestHeader set X-Forwarded-Proto "https"

in Jira plugin I puted  X-REMOTE-USER and I checked Get user name and Desable NTLM

I have always the login page of Jira 

Have you an idea about this please?

Regards 

@Firas hammami if you reach out to our 24x7 support you will get much better response time than trying to catch me personally here...

Please raise a ticket there and provide logs – most likely there is some mismatch. Does a user with username that equals the uid value in the header exist in Jira?

yes I'm sure that the uid exists, Jira runs behind an IHS server with Nexus an other tools, I get the SAML response and I extract the uid after that I pass the uid with header, I nexus it works. in the jira part I dont see a lot of configuration,