Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Get started Tell me more
Atlassian Community about banner
4,638,575
Community Members
 
Community Events
196
Community Groups

Single Sign On & Single Sign Off using SAML/OIDC plugins on multiple Atlassian tools transparently

Edited
fayaz jira
fayaz jira Jul 29, 2019

Hi All,

In a scenario where JIRA and Confluence share an Identity Provider, if a user has logged in via SSO in Confluence... it should be automatically recognised as that user in JIRA
Without any single manual step, eg click on login again on JIRA. 

In the same scenario where the user is not logged in using SSO, user should have the ability to view the public projects/spaces and sign in via SSO.

 

Second case is that if the user logs out *anywhere* (that is, Keycloak,JIRA, Confluence or anywhere else that uses the federated login) then it should be logged out in all the federated applications

 

Please share your experiences in achieving the above using plugins without any custom coding. Thanks for your time, much appreciated.

 

Regards

Fayaz

Comment
Watch
Like Daniel Varela Santoalla likes this
687 views

3 comments

Daniel Varela Santoalla
Daniel Varela Santoalla Jul 29, 2019

We have the same problem. A number of plugins allow for automatic and "transparent" login but only if no anonymous access is required. If we have to enable anonymous access to some content (ie without requiring login) then JIRA doesn't know that the user has logged in in the Identity Provider and already been recognized by Confluence at this point.

Has anyone managed to crack this problem. This scenario seems to work fine with mod_auth_openidc, for example.

Daneil

Like
Reply
Daniel Varela Santoalla
Daniel Varela Santoalla Jul 30, 2019

OK just some of my own input on the issue.

Apache's mod_auth_openidc does offer a solution to this problem by using iframes, which of course only works with OpenID Connect (what the module implements)

https://github.com/zmartzone/mod_auth_openidc/wiki/OpenID-Connect-Session-Management

I would guess that any solution for SAML would have to work on the same principles. Do we know if any of the plugins available implements this kind of "Session Management"?

Cheers

Daniel

Like
Reply
Elias Brattli Sørensen - Kantega SSO
Elias Brattli Sørensen - Kantega SSO Aug 22, 2023

I am commenting on this for future readers.
We have a solution to some of these use cases in our plugin, Kantega SSO Enterprise, which is available for Jira, Confluence, Bitbucket and Bamboo Data Center (and still server until Feb 14 2024).

First of all, we offer session management / Single logout so that a logout from Jira will log the user out from the IDP. However, for OIDC, this will not automatically terminate the session in Confluence, since we only support SP-initiated single logout, and have not implemented the iframe solution above to consume SLO requests from the IDP. In our SAML setup, metadata allows also IDP-intitated single logout, so the case described would probably work, given that the IDP receiving an SLO request from say Jira, will forward SLO to Confluence consuming session terminations.


When it comes to the public content, we have a feature called Forced SSO, which allows login to trigger also on publically accessible URLs. At the same time, you may also enable something we call "Authenticated Anonymous Browsing"..This will allow your user to pass through the SSO flow to verify their session, but still view the content as an anonymous user, i.e. not consume a license to view the public content if they do not yet have a Confluence user.

I hope this comment will be of help to someone somewhere.

Regards,
Elias
Kantega SSO

Like
Reply

Comment

Log in or Sign up to comment
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

See all events