Are you in the loop? Keep up with the latest by making sure you're subscribed to Community Announcements. Just click Watch and select Articles.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

Okta SSO: Jira redirect to a weird URL if not already logged in Okta

zuora-hlau
zuora-hlau Apr 21, 2017

I recently put Jira behind Okta SSO and some users complain and I was able to reproduce, when a user is not signed in to Okta, or timed out from Okta and he click on a Jira ticket link, it will not rediect back to Okta's sign-in page.  Instead, it redirect to a URL like the one below and error out:

https://xyzcompany.com/login.jsp?os_destination=https://xyzcompany.com/jira/browse/CMC-19055

I tried to type in the base URL https://xyzcompany.com/jira, I got redirected to a similar URL like the one above instead of redirect to the Okta singin page:

https://xyzcompany.com/login.jsp?os_destination=https://xyzcompany.com/jira/secure/MyJiraHome.jspa

Any one run into this situation?

thanks

Comment
Watch
Like Kevin Lynch likes this
3186 views

2 comments

Kevin Lynch
Kevin Lynch Feb 14, 2018 • edited Feb 22, 2018

Yes, we are dealing with the same situation. Have you been able to fix the issue?

[update] We did speak with a Okta Support rep and we where able to get this working.

Get the instructions for your version of installing and configuring Okta for JIRA from the Chiclet and re-configure JIRA. There are some things that aren't explained very well. In the login.jsp, there is the <%@ %> stuff at the beginning, you are supposed to overwrite those values with the ones supplied. And the rule for the urlrewrite are to Replace the existing rules in the file. So only one rule should be there.

The last is passing of the usernames correctly into JIRA. Our JIRA is setup to use the beginning of a users email account (kevinlynch from kevinlynch@domain.com). Okta was configured incorrectly and was sending the entire email for authentication and thus not failing the logins.

Go to the Okta Admin panel, click Directory at the top and choose 'Profile Editor'. Click on Mappings for the JIRA chiclet profile. Choose Okta to JIRA. Now at the bottom, type the username used to sign in to okta. You will see right above your typing, the user. Click on it. Now it will show on the right, the login value that is being passed to JIRA.

To fix it so that our logins where not trying to put the full email but rather the username at the beginning of the email, enter the following
String.substringBefore(user.email, "@")
We also had to use the drop down to the right to change the yellow arrow to Green (Apply mapping on user create and update)

Once these steps where done, we could successfully login with Okta.

NOTE: The only url that would not work directly is the dashboard (because of the login gadget). We chose not to worry about this single url, because the main url and all other links (Issue links, etc.) worked correctly to kick back to okta or allow authentication.

To disable the dashboard login gadget, use https://confluence.atlassian.com/jirakb/howto-hide-the-login-gadget-from-the-system-dashboard-in-jira-6-4-7-790795313.html

Step 5 in the first section should read:
5. Change the value of <admin-editable>false</admin-editable> to <admin-editable>true</admin-editable>

Like
zuora-hlau
zuora-hlau Feb 14, 2018

No. I contacted Jira they said its Okta's issue and Okta said its was an Jira issue.  Turned out I had to upgrade Jira to the latest version and get rid of Okta's SSO connector for Jira and use MiniOrange for Jira instead.  I think your best bet is to use other SAML tools like MiniOrange for Jira.

Like
Christian Reichert _resolution_
Christian Reichert _resolution_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
Feb 21, 2018

Hi @zuora-hlau@Kevin Lynch,

I can only confirm your direction, going another third-party plugin. We've had many customers coming on-board with us since they experienced Issues with the Okta SSO connectors over the Years.

There are many plugins to choose from, ranging from free one's to paid ones like ours.

This Marketplace Search should give a reasonable overview: https://marketplace.atlassian.com/search?query=saml


Cheers,
  Christian

Full disclosure, I work for a marketplace vendor.

Like
Reply
shyam.bhojwani
Shyam Feb 13, 2020

Where you guys able to fix this issue?

Like
Reply

Comment

Log in or Sign up to comment
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

See all events