Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,301,230
Community Members
 
Community Events
165
Community Groups

SSO not going straight to the app

Hi,

 

I just got done setting up SAML SSO in Azure but when I go to our company's organization, I have to click sign in with Microsoft even tho I clicked Jira through myapplications.office.com. I followed the instructions in this document https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/atlassian-cloud-tutorial and I think the sign on URL is what's giving me problems.

 

Basically I am getting 2 atlassian verification page when I should only get 1. Any ideas?

2 answers

1 accepted

If you, instead of clicking on the icon in the Azure portal, simply navigate to your atlassian cloud URL, then instead of clicking on sign in with Microsoft, type your email, as if you are going to use password credentials - what happens then? If you are not redirected to Azure then - your SAML SSO hasn't been setup correctly.

When I type my email it says "opening single on" and works but Jira should also open in myapplications.microsoft.com when i click the tile. even when signed into our microsoft account it asks me to sign in my account again. any suggestions? thanks for the help as well!Screen Shot 2020-05-15 at 10.15.37 PM.jpg

So, SSO works when doing "SP-initiated" but not when doing "IdP-initiated"

Did you do step 4 here: https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/atlassian-cloud-tutorial#configure-azure-ad-sso

Atlassian document also mentions it: https://confluence.atlassian.com/cloud/saml-single-sign-on-943953302.html#SAMLsinglesign-on-1.AddtheAtlassianproducttoyouridentityprovider

"For identity provider initiated SAML, enter your organization's URL as the default relay state. Include https:// as part of your organization's URL."

We want SP-initiated mode, but we don't want the second id.atlassian.net verification page - we want it to go straight into the app.

"SP-initiated" is when you go to the application first, and once it realises that you are not yet logged in, it redirects you to the IdP to authenticate and then you are redirected back and you are logged in automatically (based on the response that the IdP sent)

If you go to your IdP first, login (if needed), click on the icon and you get redirected to Cloud and are logged in - that's IdP-initiated SSO

So, SP-initiated is you going to your Atlassian Cloud URL, if your cookie expired already, you get kicked out to the Cloud login page, you enter your email, you get redirected to the IdP, if you are already logged in there, you get redirected back immediately and you are in.

I am not sure what he "second id.atlassian.net verification page" means in this case.

Like THE WAR OF DESTINY likes this

Thank you for the clarification!

 

The second verification page is the attached picture after clicking the launcher icon in our Microsoft applications page. Is it not supposed to launch right into Jira? Because right now users would have to log into microsoft, click jira then log in again.

Like THE WAR OF DESTINY likes this

Screen Shot 2020-05-15 at 11.24.03 PM.jpg

Sorry here is the picture.

OK, can you confirm you've configured steps 4.c and 4.d

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/atlassian-cloud-tutorial#configure-azure-ad-sso

My understanding is that it shouldn't show the Atlassian Cloud login page again (which is what you see, as in the screenshot you've provided)

Beyond this I can only suggest to raise a request with Atlassian Support on support.atlassian.com 

Yes, I configured it. Just to confirm I inserted the correct info, would my relay state URL be the URL below Jira Software in the top picture?Screen Shot 2020-05-16 at 6.57.34 AM.jpgScreen Shot 2020-05-16 at 6.57.50 AM.jpg

Yes, this should be the URL. I suggest to reach to https://support.atlassian.com and describe your problem accordingly, that SP-initiated SSO works, but on IdP initiated one instead of getting Jira page - you get the Cloud login page again instead.

Like SHiester likes this

Thanks for your help! I reached out to support. Just waiting for a response now.

Hi @SHiester ,

sorry for digging out the old corpse, but we are facing exactly the same issue.

Have you managed to resolve it?

I have done quite a lot of tests on iOS 11 and at this point, I have come to the conclusion that the SFAS sometimes doesn't work as expected.

Here is what I have done:

  1. I cloned the example app from this repo
  2. I created 2 apps from it, both of them using Google as the IDP and I installed both apps on the device.
  3. I cleared all the web history and website data in Safari.
  4. I logged into app A using my google account, and make sure I can read the user profile info.
  5. I then tried to login to app B. When SFAS is opened, there is no my existing google account to pick and I was asked to login. For now, I cancel the login window.
  6. I go to Safari and go to myaccount.google.com. I can see that I didn't logged into google at all.
  7. Now, I open the app A again, and I try to authenticate again. This time when the SFAS is opened, I can see that my account is remembered and I can pick it and complete the login process.
  8. Now, if I go back to Safari, and refresh myaccount.google.com, I can suddenly see I am logged in in Safari
  9. If I go to app B again, this time I can see my current google account and login without enter the username and password again.

Step 7 doesn't always work, sometimes I have to enter my credentials again.

Have you guys come across anything similar before? I think in order to reproduce this, you have to make sure remove the existing cookies from Safari first. It looks like SFAS doesn't always sync the cookies from SFAS back to Safari.

I tried with Keycloak and I see the same behaviour. Sometimes the SFAS syncs the session back to Safari, and when this happens, the other apps can perform SSO. But sometimes this doesn't happen and SSO doesn't work in other apps.

This is not a bug with AppAuth itself, I just want to make sure I am not the only one seeing this issue. If this is the case, I think it should be documented the SSO doesn't always work.

Suggest an answer

Log in or Sign up to answer
TAGS

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you