How to do SSO SAML login to JIRA from site using ADSF

Jiri Kanicky August 17, 2019

Hi.

Is there a solution for the following scenario?

  1. I login to LANDING PAGE using ADSF (third party web page).
  2. On that landing page I have a link to JIRA Service Desk.
  3. When the user clicks on the link, it will be automatically redirected and logged to JIRA.

We use CROWD, but I don't have to use CROWD for the SSO SAML login.

Solution Option 1:

Currently, I can add AD directory to CROWD, but when the users are redirected, they are asked for login. This is last resort solution. We would prefer if the users can login automatically.

Solution Option 2:

I was wondering if this JIRA app might be the solution.

https://marketplace.atlassian.com/apps/1216096/sso-for-atlassian-server-and-data-center?hosting=server&tab=overview

I would use SAML as secondary login, hoping that users accessing JIRA directly being in CROWD directly would login as normal, and users coming from the LANDING PAGE would login with SAML.

Would that work?

 

Is there any other solution?

 

Thank you.

 

3 comments

Christian Reichert (resolution)
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 17, 2019

Hi Jiri,

I assume you mean AD FS (not ADSF).

The Plugin you link to was really only for Data-Center (in terms of SAML) and it's now included in the Data-Center as it's SAML functionality.

You scenario can be easily solved by the following setup:

  • You install a 3rd Party SAML Plugin on your Server (or DC) instance.
  • You connect AD via LDAP to your Jira instance (you could also do that via Crowd if you have it anyway, otherwise there is no need for Crowd in this Scenario).
  • You turn on redirection that all unauthenticated Users are redirected to AD FS.

The Login flow for your User will then look like:

  • User hits your external portal & be authenticated via ADFS
  • User clicks the Jira link & gets to Jira
  • Jira redirects the User to AD FS 
  • Since User already has an reestablished session with AD FS the User gets redirected straight back to Jira with a SAML Response
  • The SAML Plugin on Jira logs the User in based on the SAML response.

The last 3 Steps here are hardly visible to the User as it's just two redirects which the User just recognises by the URL changing twice in the Browser.

There are is a variety of plugins in the marketplace that can do this: https://marketplace.atlassian.com/search?product=jira-service-desk&query=saml

The SAML Plugin from us you find here: https://marketplace.atlassian.com/apps/1212130/saml-single-sign-on-sso-jira-saml-sso?hosting=server&tab=overview

Our Plugin also allows a lot of fine-tuning in the redirection behaviour in case you have multiple User Groups etc.

Feel free to ask more Questions in the Thread here - or if you have a more sensitive information that you don't want to share publicly, you can always schedule a free call with us via https://resolution.de/go/calendly

Cheers,

     Chris

P.S. Full disclosure, I work for resolution, a marketplace vendor.

Like Jiri Kanicky likes this
Jiri Kanicky August 17, 2019

Chris, thank you for the detailed answer.

One more question regarding the new CROWD data-center version. Not sure if you are aware, but that new version seems to provide SSO capabilities.
https://confluence.atlassian.com/crowd/crowd-sso-2-0-967322291.html

How that new CROWD SSO is different from your SAML plugin? Would I be able to do the same with the CROWD data-server version?

Christian Reichert (resolution)
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 17, 2019

Hi Jiri, (autocorrect always wants to turn your name into Jira :-))

yes I know about that functionality and it's not really going to help you in your scenario.

The feature you describe is that Crowd will act as a "basic" SAML 2.0 Identity Provider. It does that to show a single Login Page across all the Atlassian Applications. 

So the functionality is still really there that you login into the Atlassian Application once, not to federate towards a AD FS or other SAML IdP.

Just on a side note, our plugin can handle multiple IdPs so should you need to use Crowd for any other User Groups (not in your AD for example), then we can connect to the SAML 2.0 functionality of Crowd as well (on top of AD FS for example).
But from your description it doesn't sound that that would be necessary in your case.

Have a great weekend!

Cheers,
Chris

Jiri Kanicky August 17, 2019

I thought so. We will consider your plugin. Thank you!

Christian Reichert (resolution)
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 17, 2019

Hi!

That's great - feel free to give some of the others a spin too if you like.

The Setup you need is documented in this Step-by-Step Guide with our plugin: https://wiki.resolution.de/doc/saml-sso/latest/all/setup-guides-for-saml-sso/microsoft-ad-fs/ad-fs-with-ldap-user-directory

Or if you just want to have a quick look there is also a Video Tutorial, which would give you a impression: https://youtu.be/CiOAO0vGyzE

Consider to accept the answer if that gives you what you need & the community moderators are always happy if threads get marked as closed once they are complete.

Cheers,
Chris

Jiri Kanicky August 17, 2019

Chris one more question in regards to step:

  1. You install a 3rd Party SAML Plugin on your Server (or DC) instance.
  2. You connect AD via LDAP to your Jira instance (you could also do that via Crowd if you have it anyway, otherwise there is no need for Crowd in this Scenario).
  3. You turn on redirection that all unauthenticated Users are redirected to AD FS.

Is it possible to configure it that unauthenticated users will be presented with login.

We have some users in CROWD directories and these users should use their CROWD login. We would like to have the SSO/SAML from AD FS only for the users who are redirected from the Landing Page.

 

Christian Reichert (resolution)
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 17, 2019

Hi Jiri,

it's not that simple.

Seen from Jira every User is unauthenticated in that case when the User hits Jira for the first time. There is no simple Way to indicate to Jira that the User is already authenticated by AD FS.

It means regardless if the User is authenticated via AD FS already or if it's a User that is supposed to login via Username/Password - it'll look the same to Jira (unauthenticated).

There are multiple Ways you could deal with this:

One Way is to create a special link that you publish on the Portal you mentioned.

If you use a link like

https://YOUR_JIRA_INSTANCE/servlet/samlsso

then the User gets redirected to AD FS & redirected straight back with the SAML response to be logged in. 
If a User to just your JIRA URL he sees the Username / Password login. 

The downside of this Solution is that it doesn't work well for deep links. So if you are 100% sure your AD FS Users only login via the Portal Link (as opposed to deep links in eMail or Bookmarks or typing the base URL in the Browser) - then this could be a Solution.

--

You can also do the reverse - everyone by default get redirected to AD FS unless he is using a special link like:

https://YOUR_JIRA_INSTANCE/login.jsp?nosso

So if you only have very few crowd Users and the vast majority is on AD / AD FS then this may be a resonable solution.

--

If you have many Users on AD FS & and many in crowd, then using somthing like an IdP Selection Page would probably the best solution.

So instead of automatically redirecting the User to AD FS, we will show them a selection Page. Where the User can choose to be redirect to AD FS or login with Username / Password.
This Page is fully customisable so you can put it into a language/verbage that makes sense to your Users.
The Selection will get saved in a cookie, so that you can automatically redirect the User to the same choice in the future.

 

We actually have a short Video Tutorial showing some of these methods (and some others) that our Plugin can do. Maybe worth having a look at this - https://youtu.be/DoNir7eN87o

Cheers,
Chris

Jiri Kanicky August 19, 2019

Hey Chris. Thanks a lot for the help.

I am happy with a solution:

Users will either login through the 3rd party portal or through JIRA login interface.

If they login through 3rd party portal, they will be able to use SSO/SAML to JIRA using the redirection link.

I think that is possible, right?

Christian Reichert (resolution)
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 19, 2019

Yes that is possible.

Just think through all the Situations how people could try to access your Jira, so that you don't miss any paths. In particular for example Servicedesk Mail notifications. You don't want the Users clicking on the EMail notification ending up on the Login prompt & not knowing what to do.

Cheers,
Chris

Lokesh Naktode_miniOrange
Marketplace Partner
Marketplace Partners provide apps and integrations available on the Atlassian Marketplace that extend the power of Atlassian products.
August 19, 2019

Hi @Jiri Kanicky ,

As stated above, SAML will be one of the best solutions for your use case. In this case, the user doesn't need to reauthenticate themselves to access JIRA Service Desk as they've already authenticated by ADFS while accessing the landing page.

There are multiple SAML SSO plugins on the Atlassian Marketplace, which you can use to achieve your use case. Here is one of them from miniOrange(one of the top SSO vendor in Atlassian Marketplace).

https://marketplace.atlassian.com/apps/1215430/jira-saml-single-sign-on-sso-jira-sso?tab=overview&hosting=datacenter

 

Is it possible to configure it that unauthenticated users will be presented with login? We have some users in Crowd directory and these users should use their Crowd login

==>Yes you can use SAML's Passive SSO concept here. With the Passive SSO, If an unauthenticated user tries to access JIRA, will be redirected to IDP and if his IDP session already exists, he will be logged in to JIRA and if not, then instead of staying on the IDP's login page for authentication, he will be redirected back to the JIRA's login page, where he can authenticate himself with his JIRA/Crowd credential.

 

Feel free to reach out through our customer portal for more details.

 

Thanks,

Lokesh

Jon Espen Ingvaldsen Kantega SSO
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 19, 2019

Hi @Jiri Kanicky 

Another option that can be relevant here is to apply two step login where the login screen ask unauthenticated users for the username only (not password). Then based on the user directory the user belongs to, the authentication mechanism is chosen. Users in a Crowd directory can be asked for password (login as normal), while others are redirected to a SAML idp to complete the authentication there.

The figure below shows how two step login can look in Jira.

Screenshot 2019-08-19 at 16.05.48.png

If you have ADFS, you can also apply kerberos to automatically authenticate users give them a login-free access to Jira / JSD. You can combine kerberos with both SAML and traditional login to optimize the login experience for all users.

As mentioned by @Lokesh Naktode_miniOrange and @Christian Reichert (resolution) , there are many good SSO apps on the marketplace. Full discosure: I work for Kantega SSO, and our app supports both two step login (with user directory redirection to SAML providers) and kerberos. 


Regards,
Jon Espen

Like Jiri Kanicky likes this
Jiri Kanicky September 2, 2019

Hi,

How does you add-on works with CROWD?

https://docs.kantega.no/display/KantegaSSOEnterprise/AD+FS

Where are the users created when using SSO/AD+FS?

  1. Can I select to create users in CROWD Directory?
  2. Do I have to setup AD sync in CROWD Directory before creating ADFS connection?
Jon Espen Ingvaldsen Kantega SSO
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
September 3, 2019

The Kantega SSO Enterprise app is compliant with CROWD user directories.

With SAML SSO and AD FS you can provision users in two ways

1) Just-in-time provisioning - Allows you to add, update and activate users on the fly when they log in. This approach requires that the users exist or can be added to the Jira internal directory.

2) Synchonized user directories (i.e. AD sync in CROWD Directory as you mentions). There are several advantages of this approach, including that users are removed from CROWD / Jira when they are removed from AD (less duplicate user record maintenance).


Note also that if you have AD FS you can also benefit of setting up Kerberos to AD. This works well together with SAML and allow users on trusted networks to be logged in automatically without being exposed to any login dialog at all. We are happy to discuss your case and help you configure the right setup for your needs, and you can book such a screen sharing session with us here: https://kantega-sso.youcanbook.me/

Cheers,
Jon Espen
Kantega SSO 


Like Jiri Kanicky likes this

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events