Can I set up SSO, but still retain Jira login for some Users that don't use SSO?

RMN_IT August 31, 2015

We have some contractors that we add to our JIRA and Confluence apps that use their full email address for logins, but our employees all use the username portion of the email address for the JIRA username.  Our SSO provider (OneLogin) is sparse on documentation on this, but I can only select one option for default username.  I'd love it if it was possible to have a "Hybrid" login where I could log in directly to the JIRA app with one URL, and through OneLogin by default. 

Is this possible?

Thanks so much.

3 answers

1 vote
Robert Anthony August 31, 2015

Hi there!

This is totally possible, for users needing the non SSO login you need to create a new user via the user management area and add the email address there. I hope this helps!

RMN_IT September 1, 2015

To be clear, I would be using SAML 2.0 auth for login. I know that I can create users, but what I'm concerned with is whether those users that are using non-standard logins without access to our SSO provider, will be able to reach Jira. In other words, is it all or nothing with respect to SAML-based SSO login? Or is it possible to log in using SSO or Jira Authentication based entirely on user preference?

Justin Warwick November 12, 2019

Missing from Robert Anthony's answer is how to get users authentication interaction to happen outside of the configured SSO process, particularly if you have selected the option "Use SAML as primary authentication". I found a clue for a passable work around in the accepted answer to this other question:

https://community.atlassian.com/t5/Jira-questions/Passing-username-and-password-via-URL-to-jira/qaq-p/16679

So, assuming an MS Windows installation: after you have created your limited, internal directory user and set a password, then you could create a special desktop shortcut that utilizes the os_authType=basic or os_username and os_password URL parameters to sort of preempt the SSO login process.

e.g.,  

https://localhost:8443/secure/admin/ViewApplicationProperties.jspa?os_username=consultingadmin&os_password=S3creTpa55w0rd

Note, though, the cautions about security in the cited accepted answer. So maybe you would only use os_authType=basic + SSL, or in the latter case, if the consultant is helping you out with Jira admin itself, put this special, not-so-secure shortcut on the application server's desktop, (to which the consultant perhaps has RDP access) and use localhost in the URL to minimize exposure.

Like # people like this
0 votes
Lars Olav Velle
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 19, 2017

Yes, this sounds like somethig we support.

With our add-on you can use Kerberos, SAML or in combination.


If both Kerberos and SAML are configured, then Kerberos is tried first. If the client does not support Kerberos, then the username filed is diplayed. If you type an internal username, then the password dialogue is shown, otherwise you will be redirected to your IDP for authentication.

We support JIRA mobile, JIRA Service Desk etc, and there is no need for any file system modifications.

Have a look at https://marketplace.atlassian.com/search?query=kantega 

We are always happy to help out. Email us at SSO@kantega.no

0 votes
Ed Letifov _TechTime - New Zealand_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 31, 2015

This question should really be raised with SSO Provider (i.e. OneLogin).

It also really depends on what you understand as "single sign-on" as there are many interpretations that vary from "the same as my AD account" to "fill a login form once in one application then be able to switch to another" to "recognize the application and fill the user/password automatically once I login in to my provider service" to "login into your workstation an be able to open the applications without having to enter user/password again".

I understand that OneLogin does provide the later branded as "Integrated Desktop SSO" i.e. Integrated Windows Authentication. This is where the fallback URL ability becomes important.

Ours ("EasySSO for JIRA" - an implementation of Integrated Windows Authentication i.e. true password-less login in Windows environment) allows to use a non-SSO url where it would revert back to regular JIRA login screen. Others may do this as well.

Suggest an answer

Log in or Sign up to answer