Okta SSO: Jira redirect to a weird URL if not already logged in Okta

I recently put Jira behind Okta SSO and some users complain and I was able to reproduce, when a user is not signed in to Okta, or timed out from Okta and he click on a Jira ticket link, it will not rediect back to Okta's sign-in page.  Instead, it redirect to a URL like the one below and error out:

https://xyzcompany.com/login.jsp?os_destination=https://xyzcompany.com/jira/browse/CMC-19055

I tried to type in the base URL https://xyzcompany.com/jira, I got redirected to a similar URL like the one above instead of redirect to the Okta singin page:

https://xyzcompany.com/login.jsp?os_destination=https://xyzcompany.com/jira/secure/MyJiraHome.jspa

Any one run into this situation?

thanks

1 comment

Yes, we are dealing with the same situation. Have you been able to fix the issue?

[update] We did speak with a Okta Support rep and we where able to get this working.

Get the instructions for your version of installing and configuring Okta for JIRA from the Chiclet and re-configure JIRA. There are some things that aren't explained very well. In the login.jsp, there is the <%@ %> stuff at the beginning, you are supposed to overwrite those values with the ones supplied. And the rule for the urlrewrite are to Replace the existing rules in the file. So only one rule should be there.

The last is passing of the usernames correctly into JIRA. Our JIRA is setup to use the beginning of a users email account (kevinlynch from kevinlynch@domain.com). Okta was configured incorrectly and was sending the entire email for authentication and thus not failing the logins.

Go to the Okta Admin panel, click Directory at the top and choose 'Profile Editor'. Click on Mappings for the JIRA chiclet profile. Choose Okta to JIRA. Now at the bottom, type the username used to sign in to okta. You will see right above your typing, the user. Click on it. Now it will show on the right, the login value that is being passed to JIRA.

To fix it so that our logins where not trying to put the full email but rather the username at the beginning of the email, enter the following
String.substringBefore(user.email, "@")
We also had to use the drop down to the right to change the yellow arrow to Green (Apply mapping on user create and update)

Once these steps where done, we could successfully login with Okta.

NOTE: The only url that would not work directly is the dashboard (because of the login gadget). We chose not to worry about this single url, because the main url and all other links (Issue links, etc.) worked correctly to kick back to okta or allow authentication.

To disable the dashboard login gadget, use https://confluence.atlassian.com/jirakb/howto-hide-the-login-gadget-from-the-system-dashboard-in-jira-6-4-7-790795313.html

Step 5 in the first section should read:
5. Change the value of <admin-editable>false</admin-editable> to <admin-editable>true</admin-editable>

No. I contacted Jira they said its Okta's issue and Okta said its was an Jira issue.  Turned out I had to upgrade Jira to the latest version and get rid of Okta's SSO connector for Jira and use MiniOrange for Jira instead.  I think your best bet is to use other SAML tools like MiniOrange for Jira.

Hi @Harry Lau@Kevin Lynch,

I can only confirm your direction, going another third-party plugin. We've had many customers coming on-board with us since they experienced Issues with the Okta SSO connectors over the Years.

There are many plugins to choose from, ranging from free one's to paid ones like ours.

This Marketplace Search should give a reasonable overview: https://marketplace.atlassian.com/search?query=saml


Cheers,
  Christian

Full disclosure, I work for a marketplace vendor.

Comment

Log in or Sign up to comment
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Julia Dillon
Posted Tuesday in Jira

Tell us how your team runs on Jira!

Hey Atlassian Community! Today we are launching a bunch of customer stories about the amazing work teams, like Dropbox and Twilio, are doing with Jira. You can check out the stories here. The thi...

759 views 2 19
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you