Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Authenticating users against Jira/LDAP from internal apps (web and command line) in a secure way

Toni Takei
Toni Takei March 27, 2019

We have an on premise Jira server instance which is configured to use native authentication. We also have several internally developed web applications that use Jira REST API for automation and data exchange with this Jira instance. There is a desire to move from Jira native authentication to Active Directory based authentication for a variety of reasons. Some stakeholders within my team have raised concerns that this approach would pose a security/privacy risk because now, the users of our internal web applications would be required to enter their Windows network credentials to authenticate with Jira and there is a possibility that these credentials would inadvertently or maliciously get logged to a debug or audit log, or somehow find their way into the wrong hands.

We also have some command line test scripts that are independent of the aforementioned web apps that also talk to Jira and would be in the same boat when it comes to LDAP authentication.

I am sure that this is not a new problem for many users on this community forum. My questions:

  1. If you or your company have been in this situation, how did you address it?
  2. Does Atlassian have a solution that would allow apps such as our internal web apps to authenticate against Jira (using LDAP) without “seeing” the credentials?
  3. Are there any third party tools on Atlassian marketplace or elsewhere that would take care of both the use cases above (web apps, as well as command-line scripts)?

Thanks,

Toni

Answer
Watch
Like Jon Espen Ingvaldsen Kantega SSO likes this
1166 views

2 answers

0 votes
Peter DeWitt
Peter DeWitt
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
March 27, 2019

@Toni Takei , My company has a policy of Secure-by-Design so we have looked at this and deal with currently.  We use OKTA for SSO.  Okta provide a .jar app that sits in front of Jira and handles Auth.  The only thing I have ever seen in the logs is that a user has authenticated or was already authenticated.

As far as internal applications or services that need API access, as long as the server only accepts SSL connection the data / passwords / accounts are safe.  We maintain our service account locally within Jira.  If you don't want to go the username/password route with those services account try looking into OAuth for your connection.  We use this in the case of our Jenkins integration. My security people seem happy with this; maybe yours will be too? :)

-pjd

Reply
0 votes
Jon Espen Ingvaldsen Kantega SSO
Jon Espen Ingvaldsen Kantega SSO
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 27, 2019

Hi @Toni Takei .

I can answer your third question as I am from one of the marketplace vendors giving Active Directory users password-free access to Jira on trusted networks.

 It is good that your organization and colleagues are concerned about the privacy and security rick of user credentials being exposed in various system logs. I can guarantee you that we never expose user credentials in any log. Our add-on, Kantega SSO, can also be configured to not interfere with REST API communication (typically handled through IP-filters).

Password-free Windows authentication (Kerberos) is supported by Active Directory directly, and it can be setup in combination with traditional username / password login and other SSO mechanisms such as SAML, - together making sure that all users get a secure and user friendly login experience from any location, and also handle communication with integrated applications.

Could you explain a bit about what your command line scripts do and how they interact with Jira?

Regards,
Jon Espen 
 

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events