We have an on-prem clustered environment of Jira Datacenter. We are looking to start using SSO 2.0 (baked in version) using Azure as our idp. In a test environment, I have this working but only when I click on the Log In link at the top. Is there a way to use this so that it automatically logs in when loading the Jira url?
As a way to test SSO, you can use this link https://JIRASERVER-FQDN/plugins/servlet/external-login which actually authenticates you without the need to click on Log In. I have tried adding this to the SSL Pass through Proxy to no avail using the following.
#Normal condition
#ProxyPass "/" "http://JIRASERVER:[PORT]"
#Test condition
ProxyPass "/" "http://JIRASERVER:[PORT]/plugins/servlet/external-login/"
ProxyPass "/nosso/" http://JIRASERVER:[PORT]/login.jsp?auth_fallback"
The normal condition by it self works fine. When I use the test condition, I end up hitting 404 Crossbones. I know it is probably something simple I'm missing.
Found a solution. It may not be "the" solution but it does work.
Hey Travis - We are looking to potentially use SSO 2.0 for our Jira Datacenter, however, it doesn't seem to be working as expected. Is using SSO 2.0 dependent on whether or not you have Crowd? Can you have SSO 2.0 work with just Microsoft AD + Jira SSO2.0 + OneLogin without Crowd?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Rob Banister ,
SSO 2.0 is what Atlassian calls it when Crowd Acts as a "mini" SAML IdP, so that there is a unified Login Page to sign in into Crowd.
So technically speaking SSO 2.0 is only possible with Crowd.
I am not a 100% sure what setup you exactly mean when referring to:
Can you have SSO 2.0 work with just Microsoft AD + Jira SSO2.0 + OneLogin without Crowd
Does that mean you have MS AD sync'd to OneLogin and would like to authenticate all Users against OneLogin?
If so that is probably possible with the Data-Center SAML: https://confluence.atlassian.com/enterprise/saml-single-sign-on-for-atlassian-data-center-applications-857050705.html
If you setup is a bit more complex or you need some more advanced functions (i.e. modifying Usernames to match what OneLogin sends & what you get sync'd from AD, mulitple Identity Provides e.g. AD via ADFS & OneLogin ) then you could look at our plugin. It's the most used SAML Plugin across the Atlassian Server & Data-Center Applications:
We have many enterprise customers using it in conjunction with OneLogin. Here is a our Video Tutorial for that Setup: https://www.youtube.com/watch?v=lVF2AE3YvM0
If your Setup is a bit more complicated, you can also setup a meeting with us via https://resolution.de/go/calendly to discuss this.
Cheers,
Christian
P.S. Full disclosure - I work for resolution, a marketplace vendor
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@Rob Banister I have an on prem instance running data center with a registered application within Azure. Using this page (https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/jiramicrosoft-tutorial) as a guide, I was able to get the baked in SSO within Jira dc to work with Jira SSO by Microsoft (you add this within Azure).
As @Christian Reichert (resolution) points out, you will need to match your usernames to your Azure usernames. In our case we were using sAMAccountname initially and had to edit our ldap to use the UserPrincipalName. Once I did this, it magically worked.
The plugin that Christian shared here is probably the best one I saw and we are using it for our on prem Confluence. It has its own Azure registered app so it is super easy to setup. We considered using it for Jira as well, but I managed to get it working without it (sorry Christian).
If you have the budget for the plugin, I'd recommend it.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Travis Blubaugh ,
Inbuilt SAML Authentication for JIRA Data Center will only redirect the user to IDP when they try to access the /login.jsp page and seems you are looking to redirect all the unauthenticated user from every page.
In this case, I suggest you to take a look at the third-party SAML SSO app in the Atlassian Marketplace which will provide you lots of customizable options to redirect users and also provides the additional features for SAML SSO for eg. SAML Single Logout, Support for signed and encrypted SAML assertion, etc.
SAML plugin from miniOrange :
Setup guide for Azure AD:
https://plugins.miniorange.com/saml-single-sign-on-sso-jira-using-azure-ad-idp
Feel free to reach out at atlassiansupport @miniorange.com in case of any assistance.
Thanks,
Lokesh
FD: I work for the miniOrange one of the top SSO vendor in the Atlassian Marketplace.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.