Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Integrate Jira with Keycloak (plugin SSO for Atlassian Server and Data Center)

Christos Moysiadis
Christos Moysiadis
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 31, 2020

Hello community, 

lately i had a request about integrating Jira SSO (with OpenId protocol) with Keycloak. I am doing as always some tests in my test environment before i implement the solution to the client. I have installed the latest Jira v8.6.1 (https://localhost:8443/) , so i can use the internal plugin from Atlassian "SSO for Atlassian Server and Data Center" and also the Keycloak standalone server (https://localhost:8442/).

The plugin itself provides me this two links to give them to identity provider (pic is from the Jira plugin).
2020-01-31 10_42_06-SSO 2.0 - Jiratest.png

The first link i assume that i have put it correctly (pic is from Keycloak / Client section)

2020-01-31 10_47_31-Keycloak Admin Console.png

  • But what about the second one

Except this, when i use this link which is provided from the plugin,2020-01-31 10_53_15-SSO 2.0 - Jiratest.png

  1. It redirects me to the keycloak login page (as i assume is correct) ,
  2. I provide the credentials from a user ,who exists both in Jira and Keycloak with the same name:password combination.
  3. After this, it redirects me back to Jira without being logged in , while i receive this error message.2020-01-31 10_58_34-We had trouble logging you in. - Jiratest.png
  4. In tomcat i see this log
    31-Jan-2020 10:41:41.619 WARNING [https-jsse-nio-8443-exec-22] com.sun.jersey.spi.container.servlet.WebComponent.filterFormParameters A servlet request, to the URI https://localhost:8443/rest/activity-stream/1.0/preferences?_=1580463700444, contains form parameters in the request body but the request body has been consumed by the servlet or a servlet filter accessing the request parameters. Only resource methods using @FormParam will work as expected. Resource methods consuming the request body by other means will not work as expected.

I don't know if i have to configure the seraph-config.xml or the web.xml or something else, so i request your knowledge if someone of you knows :) If you need more infos i am happy to provide them

Thanks in advance,
CM

 

PS. i know that there is a plugin already which does this work easier ''Jira Enterprise SSO with Keycloak'', but i want to use the free tool first.

Answer
Watch
Like # people like this
1900 views

1 answer

0 votes
Christos Moysiadis
Christos Moysiadis
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 31, 2020

Almost self solved question..... 

  1. First i enabled the dark features option to take more logs from tomcat, "-Datlassian.darkfeature.atlassian.authentication.include.stacktrace.in.error.messages=true" .
  2. Yes , both Jira & Keycloak using HTTPS , but i forget to put the certificates in each other keystore. 
  3. Last but not least it was how jira claims the username from keycloak. This should be configured in jira to claim the value from the "Token Claim Name" ,which is preferred_username, and not as i assumed username or name :) .
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events