We have some contractors that we add to our JIRA and Confluence apps that use their full email address for logins, but our employees all use the username portion of the email address for the JIRA username. Our SSO provider (OneLogin) is sparse on documentation on this, but I can only select one option for default username. I'd love it if it was possible to have a "Hybrid" login where I could log in directly to the JIRA app with one URL, and through OneLogin by default.
Is this possible?
Thanks so much.
To be clear, I would be using SAML 2.0 auth for login. I know that I can create users, but what I'm concerned with is whether those users that are using non-standard logins without access to our SSO provider, will be able to reach Jira. In other words, is it all or nothing with respect to SAML-based SSO login? Or is it possible to log in using SSO or Jira Authentication based entirely on user preference?
Missing from Robert Anthony's answer is how to get users authentication interaction to happen outside of the configured SSO process, particularly if you have selected the option "Use SAML as primary authentication". I found a clue for a passable work around in the accepted answer to this other question:
So, assuming an MS Windows installation: after you have created your limited, internal directory user and set a password, then you could create a special desktop shortcut that utilizes the os_authType=basic or os_username and os_password URL parameters to sort of preempt the SSO login process.
Note, though, the cautions about security in the cited accepted answer. So maybe you would only use os_authType=basic + SSL, or in the latter case, if the consultant is helping you out with Jira admin itself, put this special, not-so-secure shortcut on the application server's desktop, (to which the consultant perhaps has RDP access) and use localhost in the URL to minimize exposure.
This question should really be raised with SSO Provider (i.e. OneLogin).
It also really depends on what you understand as "single sign-on" as there are many interpretations that vary from "the same as my AD account" to "fill a login form once in one application then be able to switch to another" to "recognize the application and fill the user/password automatically once I login in to my provider service" to "login into your workstation an be able to open the applications without having to enter user/password again".
I understand that OneLogin does provide the later branded as "Integrated Desktop SSO" i.e. Integrated Windows Authentication. This is where the fallback URL ability becomes important.
Ours ("EasySSO for JIRA" - an implementation of Integrated Windows Authentication i.e. true password-less login in Windows environment) allows to use a non-SSO url where it would revert back to regular JIRA login screen. Others may do this as well.
Yes, this sounds like somethig we support.
With our add-on you can use Kerberos, SAML or in combination.
If both Kerberos and SAML are configured, then Kerberos is tried first. If the client does not support Kerberos, then the username filed is diplayed. If you type an internal username, then the password dialogue is shown, otherwise you will be redirected to your IDP for authentication.
We support JIRA mobile, JIRA Service Desk etc, and there is no need for any file system modifications.
Have a look at https://marketplace.atlassian.com/search?query=kantega
We are always happy to help out. Email us at SSO@kantega.no
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events