Okta SSO: Jira redirect to a weird URL if not already logged in Okta

zuora-hlau April 21, 2017

I recently put Jira behind Okta SSO and some users complain and I was able to reproduce, when a user is not signed in to Okta, or timed out from Okta and he click on a Jira ticket link, it will not rediect back to Okta's sign-in page.  Instead, it redirect to a URL like the one below and error out:

https://xyzcompany.com/login.jsp?os_destination=https://xyzcompany.com/jira/browse/CMC-19055

I tried to type in the base URL https://xyzcompany.com/jira, I got redirected to a similar URL like the one above instead of redirect to the Okta singin page:

https://xyzcompany.com/login.jsp?os_destination=https://xyzcompany.com/jira/secure/MyJiraHome.jspa

Any one run into this situation?

thanks

2 comments

Kevin Lynch February 14, 2018

Yes, we are dealing with the same situation. Have you been able to fix the issue?

[update] We did speak with a Okta Support rep and we where able to get this working.

Get the instructions for your version of installing and configuring Okta for JIRA from the Chiclet and re-configure JIRA. There are some things that aren't explained very well. In the login.jsp, there is the <%@ %> stuff at the beginning, you are supposed to overwrite those values with the ones supplied. And the rule for the urlrewrite are to Replace the existing rules in the file. So only one rule should be there.

The last is passing of the usernames correctly into JIRA. Our JIRA is setup to use the beginning of a users email account (kevinlynch from kevinlynch@domain.com). Okta was configured incorrectly and was sending the entire email for authentication and thus not failing the logins.

Go to the Okta Admin panel, click Directory at the top and choose 'Profile Editor'. Click on Mappings for the JIRA chiclet profile. Choose Okta to JIRA. Now at the bottom, type the username used to sign in to okta. You will see right above your typing, the user. Click on it. Now it will show on the right, the login value that is being passed to JIRA.

To fix it so that our logins where not trying to put the full email but rather the username at the beginning of the email, enter the following
String.substringBefore(user.email, "@")
We also had to use the drop down to the right to change the yellow arrow to Green (Apply mapping on user create and update)

Once these steps where done, we could successfully login with Okta.

NOTE: The only url that would not work directly is the dashboard (because of the login gadget). We chose not to worry about this single url, because the main url and all other links (Issue links, etc.) worked correctly to kick back to okta or allow authentication.

To disable the dashboard login gadget, use https://confluence.atlassian.com/jirakb/howto-hide-the-login-gadget-from-the-system-dashboard-in-jira-6-4-7-790795313.html

Step 5 in the first section should read:
5. Change the value of <admin-editable>false</admin-editable> to <admin-editable>true</admin-editable>

zuora-hlau February 14, 2018

No. I contacted Jira they said its Okta's issue and Okta said its was an Jira issue.  Turned out I had to upgrade Jira to the latest version and get rid of Okta's SSO connector for Jira and use MiniOrange for Jira instead.  I think your best bet is to use other SAML tools like MiniOrange for Jira.

Christian Reichert (resolution)
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
February 21, 2018

Hi @zuora-hlau@Kevin Lynch,

I can only confirm your direction, going another third-party plugin. We've had many customers coming on-board with us since they experienced Issues with the Okta SSO connectors over the Years.

There are many plugins to choose from, ranging from free one's to paid ones like ours.

This Marketplace Search should give a reasonable overview: https://marketplace.atlassian.com/search?query=saml


Cheers,
  Christian

Full disclosure, I work for a marketplace vendor.

Shyam February 13, 2020

Where you guys able to fix this issue?

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events