Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Bypass jira login


I have a Jira running behind a web server, I implemented the saml SSO in the web server so I'm sure that the user is authenticated.

have you any idea how to bypass Jira login?


Thank you 


2 answers

You need a plugin on Jira side:

  • either a SAML one, hooked to the same SAML IdP as the web server; In this case SAML IdP is considered a trusted source and the app gives the username to Jira in "trust me, because I am running inside you, and I trust the IdP". Strictly speaking this will result in two authentication attempts, with the idea that when the app in Jira goes to the IdP the user is already authenticated at the IdP side, so the IdP will just immediately redirect back, without asking to re-login. However, if the IdP supports multiple identifies being logged in at the same time (e.g. Google) - on every trip to the IdP, the IdP will ask you "which one?", so this may not result in a completely transparent "bypass". Also in this picture, strictly speaking you don't need SAML SSO in the web server (I assume this is really "a reverse proxy") – you could have just implemented SAML in Jira only.
  • or something else that can integrate with the web server e.g. via HTTP Headers, so the reverse proxy uses SAML to identify the user, then passes the username to Jira in a header,  and the app retrieves it from there. Because in this case the proxy is configured as a trusted source, the app is able to just give the username to Jira in a "trust me, because I am running inside you and I trust the reverse proxy" manner. It's important that the system is configured in a way that this header cannot be injected by anyone else but the proxy.

Please consider trying our app EasySSO for Jira – we offer 5 authenticators, including SAML, HTTP Headers and X.509 – any of these 3 could be used to achieve what you are after.

Our support is 24x7 - please don't hesitate to reach out with the specifics of your reverse proxy and ask questions.

Hi @Ed Letifov _TechTime - New Zealand_ 

Thank you for your respense, about EasySSO, I have tried it, but the problem is that it force me to use it's own parametres and URL, so in my case I can not make the same configuration as the webserver, have you any idea how to use my own parametres?




@Firas hammami 

I suspect you meant that you have to configure your SAML IdP to talk to EasySSO via SAML effectively additionally to what you already have configured for your webserver/reverse proxy.

This is correct, as I said if you want to use SAML (with any SAML app not just EasySSO) you will have to integrate the app with your IdP, and effectively there will be two authentication requests to the IdP when a user attempts to login - one from the webserver, the other one from Jira.

This is why I said that technically you don't need SAML on the webserver, as both authentications are not related to each other, they simply take advantage of the fact that once logged in with IdP, the user won't have to re-enter credentials again.

In this case the webserver may still "be userful" e.g. apply some logic of letting the user access Jira or not at all based on their identity, effectively a firewall.

If you don't want to configure your IdP to talk to EasySSO, then you need to configure your proxy to talk to it using something else but SAML. While SAML is a standard, making your proxy to talk to EasySSO via HTTP Headers is something much less standard. One would need to know more details about your proxy etc.

Please don't post these here for security reason – instead proceed to our 24x7 support portal

Thank you, the problem is that in our company we must make any authentication in the webserver level, I don't have choice, that's why I want to skeep the Jira login since the user is already authenticated, I was thinking about forcing EasySSO to accept the same configuration that put in the webserver

So if you have both webserver AND jira integrated with your SAML IdP via SAML – you will still be making the authentication at the webserver level as per your company requirements.

Please run the solution by your Security Team. I can't see them rejecting it since it's actually MORE secure than what you have now (SAML on webserver but then still a login page on Jira). 

You can't force "the same configuration" on two different consumers (Service Providers) - this would be a security hole.

Please note, "the solution" I am describing is standard, it is not EasySSO-specific. You will have to do this with ANY SAML app.

Hi @Ed Letifov _TechTime - New Zealand_ 


Today I used easysso HEADERS, every thing works well, I passed the user id through the proxy and I'm sure (besause I used the same solution to pass user id through header to nexus)

in my apache I have this 

RequestHeader unset Authorization

RequestHeader set X-REMOTE-USER %{MELLON_uid}e env=MELLON_uid
#RequestHeader set X-WEBAUTH-USER %{MELLON_Password}e env=MELLON_Password
#RequestHeader set X-WEBAUTH-USER %{MELLON_username}e env=MELLON_username
RequestHeader set X-Forwarded-Proto "https"


in Jira plugin I puted  X-REMOTE-USER and I checked Get user name and Desable NTLM


I have always the login page of Jira 


Have you an idea about this please?



@Firas hammami if you reach out to our 24x7 support you will get much better response time than trying to catch me personally here...

Please raise a ticket there and provide logs – most likely there is some mismatch. Does a user with username that equals the uid value in the header exist in Jira?

yes I'm sure that the uid exists, Jira runs behind an IHS server with Nexus an other tools, I get the SAML response and I extract the uid after that I pass the uid with header, I nexus it works. in the jira part I dont see a lot of configuration, 

0 votes

Hi @Firas hammami ,

You should be able to add a parameter to your url.

The URL to display the login page is: <BASE_URL>/login.jsp?auth_fallback but the admin needs to enable authentication fallback first.


If you mean bypassing login as in anonymous..that's something completly different.

Suggest an answer

Log in or Sign up to answer

Atlassian Community Events