Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

2FA across Atlassian Tool Set (server not cloud)

Tim Finch
Tim Finch May 22, 2019

Hi,

 

We are looking for a 2FA solution for Jira, Confluence, BitBucket and Bamboo.

All the addons we've trialed so far work, *but* you have to go through 2FA each time you switch between applications.

Is there a 2FA plug in that will allow users to go through the 2FA check once and then switch between aplkications without having to 2FA a second time?

 

Hope that makes sense.

 

Tim

 

Answer
Watch
Like Be the first to like this
659 views

5 answers

1 accepted

0 votes
Answer accepted
Lokesh Naktode_miniOrange
Lokesh Naktode_miniOrange
Marketplace Partner
Marketplace Partners provide apps and integrations available on the Atlassian Marketplace that extend the power of Atlassian products.
May 23, 2019

Hi @Tim Finch 

As all the application have their own session management you need to verify your credential including 2FA every time when you switch between the applications(in case if you are not logged in to that application)

The best way to achieve your use case will be connecting all the applications to Identity Provider(IDP) Application for Single Sign-on and enable IDP's 2FA on the top of SSO.

You can use SAML plugin for JIRA, Confluence, Bitbucket, and Bamboo to enable SAML SSO into these applications from your IDP and in case if you don't have any IDP, you can take a look into the miniOrange IDP. It supports several 2FA methods like OTP over Email and SMS, Google Authenticator, Push Notification, Hardware tokens, etc.

In this case, If a user is logged in to one of application (for e.g. JIRA ) via SSO and if he switches between application, he doesn't need to reauthenticate himself, he will be logged in directly.

Thanks,
Lokesh

P.S. I work for the miniOrange and if you need any help with the setup, you can contact us at atlassiansupport@miniorange.com or through our customer portal.

Reply
0 votes
Lars Olav Velle _Polar SSO_
Lars Olav Velle _Polar SSO_ June 26, 2020

A few days ago we released a new security app to Atlassian Marketplace called Polar SSO.

In addition to SAML and Kerberos, you get to define policies that encourages or enforces users to add a second factor based on users network location, group membership, login method (password, saml, kerberos) etc. 

A benefit from adding extra verification is that you can log in directly without password using Windows Hello, MacOS Touch ID, Apple watch, Android fingerprint, USB security keys with PIN or fingerprint. In addition you can use the same device to re-verify your identity on WebSudo protected pages (which can be a pain to do every 10 minutes).

You may also further protect your application by defining policies that denies regular password login, while allowing SAML login from untrusted sones.

 

Disclaimer, I work for Polarnight, the vendor behind this app.

-Lars

Reply
0 votes
Martin Beke
Martin Beke August 22, 2019

Hi, 

it is possible to solve this using the Crowd server?

I mean, for our company we are using the crowd server SSO and we need at the same time use to 2FA.

Actually, we're using Secure Login for JIRA and Confluence but when switch application we must enter PIN separately like @Tim Finch mentions above.

Thanks for any solutions

Regards

Reply
0 votes
Ed Letifov _TechTime - New Zealand_
Ed Letifov _TechTime - New Zealand_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 22, 2019

There are no add-ons like that on Atlassian Marketplace.

Your only option is to delegate this check to an external party, usually a SAML IdP via SAML SSO app/add-on like our EasySSO or any other SAML app - from re:solution, Kantega or others... 

I have to point out that from security point of view there is nothing bad about having to do 2FA the second time. You should also configure your 2FA to not challenge internal users, or in the case of EasySSO, you can integrate SecureLogin 2FA so when users are coming in via SSO (from the office via NTLM or Kerberos with no credentials being asked, or from outside via SAML IdP that may have already done the 2FA) - there is no local 2FA.

Reply
0 votes
JP _AC Bielefeld Leader_
JP _AC Bielefeld Leader_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 22, 2019

Hi,

what addons did you try? Did you get a solution for both: 2FA & SSO?

Best

JP

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events