SSO Backdoor

Ben Bazian September 24, 2024

We have implemented SAML based SSO to our server.  Before we remove local login what is the process if our SSO gets broken for some reason?  In general, we do not want to allow local authentication but is there something we can do at the server lever (SSH) in a config file to allow for local login in case of a recovery mode?  

Would need the same info for Jira in that we will be doing that too.

 

2 answers

0 votes
Hector Menchaca
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 25, 2024

@Ben Bazian ,

Welcome to Atlassian Community!

In this case I recommend you to check about our Authentication Policies, with them you can always leave a "backdoor" or "Safe" account outside of the SAML SSO policy so you can gain access in case something happens during the configuration or certificate expires, etc...

Here are some documents regarding this:

Best Regards!

Ben Bazian September 25, 2024

I am not aware of any authentication policy in Data Center.  Looks like that is only for cloud hosted?

0 votes
Shawn Doyle - ReleaseTEAM
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 24, 2024

Hi @Ben Bazian 

 

First, don't call it a backdoor, security types don't like that.  :)

I like to leave one admin account using the local built-in directory, just as a fail-safe, security people like a fail-safe.  I typically won't advocate that anyone use this account unless necessary and that its credentials are properly secured.

 

 

Ben Bazian September 24, 2024

Haha.  I get it about the backdoor connotation.  I guess a better way to put it would be is there a way through the config files to reenable the local login accounts.  I prefer to not have any accounts able to login locally unless there is a DR need.

Shawn Doyle - ReleaseTEAM
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 24, 2024

I have had to recover admin accounts in the past, IIRC it involves editing the DB.

https://confluence.atlassian.com/doc/restore-passwords-to-recover-admin-user-rights-158390.html

Ben Bazian September 24, 2024

Will this work if the local directory for authentication is turned off and only SSO is enabled?  Moving forward for normal operations we do not want to allow any local login.  Only SSO which forces MFA.

Shawn Doyle - ReleaseTEAM
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 24, 2024

I believe you would have to reenable a local directory.  

Ben Bazian September 24, 2024

Yes.  But can that happen at the server console if disabled in the UI?  Again, this is a fall back if the SSO fails.

Shawn Doyle - ReleaseTEAM
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 25, 2024

No, I do not believe so.  You would need to be able to log in as an admin to enable the local directory.

Ben Bazian September 25, 2024

Then what is the fallback if SSO becomes unavailable?

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
SERVER
VERSION
9.0.3
TAGS
AUG Leaders

Atlassian Community Events