We have implemented SAML based SSO to our server. Before we remove local login what is the process if our SSO gets broken for some reason? In general, we do not want to allow local authentication but is there something we can do at the server lever (SSH) in a config file to allow for local login in case of a recovery mode?
Would need the same info for Jira in that we will be doing that too.
Welcome to Atlassian Community!
In this case I recommend you to check about our Authentication Policies, with them you can always leave a "backdoor" or "Safe" account outside of the SAML SSO policy so you can gain access in case something happens during the configuration or certificate expires, etc...
Here are some documents regarding this:
Best Regards!
I am not aware of any authentication policy in Data Center. Looks like that is only for cloud hosted?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Ben Bazian
First, don't call it a backdoor, security types don't like that. :)
I like to leave one admin account using the local built-in directory, just as a fail-safe, security people like a fail-safe. I typically won't advocate that anyone use this account unless necessary and that its credentials are properly secured.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Haha. I get it about the backdoor connotation. I guess a better way to put it would be is there a way through the config files to reenable the local login accounts. I prefer to not have any accounts able to login locally unless there is a DR need.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I have had to recover admin accounts in the past, IIRC it involves editing the DB.
https://confluence.atlassian.com/doc/restore-passwords-to-recover-admin-user-rights-158390.html
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Will this work if the local directory for authentication is turned off and only SSO is enabled? Moving forward for normal operations we do not want to allow any local login. Only SSO which forces MFA.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I believe you would have to reenable a local directory.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Yes. But can that happen at the server console if disabled in the UI? Again, this is a fall back if the SSO fails.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
No, I do not believe so. You would need to be able to log in as an admin to enable the local directory.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.