Single Sign On & Single Sign Off using SAML/OIDC plugins on multiple Atlassian tools transparently

fayaz jira July 29, 2019

Hi All,

In a scenario where JIRA and Confluence share an Identity Provider, if a user has logged in via SSO in Confluence... it should be automatically recognised as that user in JIRA
Without any single manual step, eg click on login again on JIRA. 

In the same scenario where the user is not logged in using SSO, user should have the ability to view the public projects/spaces and sign in via SSO.

 

Second case is that if the user logs out *anywhere* (that is, Keycloak,JIRA, Confluence or anywhere else that uses the federated login) then it should be logged out in all the federated applications

 

Please share your experiences in achieving the above using plugins without any custom coding. Thanks for your time, much appreciated.

 

Regards

Fayaz

3 comments

Daniel Varela Santoalla July 29, 2019

We have the same problem. A number of plugins allow for automatic and "transparent" login but only if no anonymous access is required. If we have to enable anonymous access to some content (ie without requiring login) then JIRA doesn't know that the user has logged in in the Identity Provider and already been recognized by Confluence at this point.

Has anyone managed to crack this problem. This scenario seems to work fine with mod_auth_openidc, for example.

Daneil

Daniel Varela Santoalla July 30, 2019

OK just some of my own input on the issue.

Apache's mod_auth_openidc does offer a solution to this problem by using iframes, which of course only works with OpenID Connect (what the module implements)

https://github.com/zmartzone/mod_auth_openidc/wiki/OpenID-Connect-Session-Management

I would guess that any solution for SAML would have to work on the same principles. Do we know if any of the plugins available implements this kind of "Session Management"?

Cheers

Daniel

I am commenting on this for future readers.
We have a solution to some of these use cases in our plugin, Kantega SSO Enterprise, which is available for Jira, Confluence, Bitbucket and Bamboo Data Center (and still server until Feb 14 2024).

First of all, we offer session management / Single logout so that a logout from Jira will log the user out from the IDP. However, for OIDC, this will not automatically terminate the session in Confluence, since we only support SP-initiated single logout, and have not implemented the iframe solution above to consume SLO requests from the IDP. In our SAML setup, metadata allows also IDP-intitated single logout, so the case described would probably work, given that the IDP receiving an SLO request from say Jira, will forward SLO to Confluence consuming session terminations.


When it comes to the public content, we have a feature called Forced SSO, which allows login to trigger also on publically accessible URLs. At the same time, you may also enable something we call "Authenticated Anonymous Browsing"..This will allow your user to pass through the SSO flow to verify their session, but still view the content as an anonymous user, i.e. not consume a license to view the public content if they do not yet have a Confluence user.

I hope this comment will be of help to someone somewhere.

Regards,
Elias
Kantega SSO

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events