SSO with Crowd not working

We have (for time being experimental) Crowd and Confluence with SSO working (with Crowd Shibboleth authenticator). Now we are trying to add JIRA to the system. Authentication from Crowd with local username works in Jira, but SSO (that Shinboleth authentication needs) does not work in Jira. In debug log there is error message:   INVALID SSO TOKEN Token doesn't match the existing token

We have changed the authenticator in seraph-config.xml. Any ideas where to look for the difference between Confluence and Jira?

4 answers

1 accepted

0 votes
Accepted answer

Found it. The test Confluence and test Crowd were using HTTP proxy, but the test JIRA was using AJP proxy.

Therefore there was a difference in remote addresses and the SSO cookies were invalid.

I do not have the answer to your Shibboleth question, but since you say it is experimental, here's a possible alternative solution to your SSO needs. 

I looked at the logs of the crowd server. It can be seen that first the Confluence tries to validate the session and succeeds. Then the Jira sends a similar request but gets a 400: - - [01/Dec/2014:08:42:02 +0200] "POST /crowd/rest/usermanagement/1/session/BBJQUhcXUxFQW669iUsKug00 HTTP/1.1" 200 512 - - [01/Dec/2014:08:42:03 +0200] "GET /crowd/rest/usermanagement/1/session/BBJQUhcXUxFQW669iUsKug00?expand=user HTTP/1.1" 200 1027 - - [01/Dec/2014:08:42:16 +0200] "POST /crowd/rest/usermanagement/1/session/BBJQUhcXUxFQW669iUsKug00 HTTP/1.1" 400 162 - - [01/Dec/2014:08:42:16 +0200] "POST /crowd/rest/usermanagement/1/session/BBJQUhcXUxFQW669iUsKug00 HTTP/1.1" 400 162 - - [01/Dec/2014:08:42:16 +0200] "POST /crowd/rest/usermanagement/1/session/BBJQUhcXUxFQW669iUsKug00 HTTP/1.1" 400 162 Any ideas?

Here is a snip from Crowd logs: 2014-12-01 09:48:14,427 http-bio-8095-exec-20 DEBUG [crowd.manager.authentication.TokenAuthenticationManagerImpl] Current Validation Factors: ValidationFactor[remote_address=] 2014-12-01 09:48:14,427 http-bio-8095-exec-20 DEBUG [crowd.manager.authentication.TokenAuthenticationManagerImpl] comparing existing token Token{identifierHash='7dWKwNE6vaxz1TWMxrARvg00', lastAccessedTime=1417419581224, createdDate=2014-12-01 09:22:18.785, duration=null, name='', directoryId=32770} with a validation token Token{identifierHash='b8XOnwiNUA1MFFmkQq1hAg00', lastAccessedTime=1417420094427, createdDate=Mon Dec 01 09:48:14 EET 2014, duration=null, name='', directoryId=32770} 2014-12-01 09:48:14,427 http-bio-8095-exec-20 DEBUG [crowd.manager.authentication.TokenAuthenticationManagerImpl$TokenValidationFailure] Existing token 'pfBVqHdoyBAfLBtMTn1u8g00' for user '' does not match new token 'FqtI1Ix4yCjdcQZGFQYW0g00' with validation factors 'ValidationFactor[remote_address=]' 2014-12-01 09:48:14,427 http-bio-8095-exec-20 DEBUG [crowd.manager.authentication.TokenAuthenticationManagerImpl] The token keys don't match 2014-12-01 09:48:14,428 http-bio-8095-exec-20 DEBUG [crowd.console.filter.CrowdOpenSessionInViewFilter] Closing Hibernate Session in OpenSessionInViewFilter 2014-12-01 09:50:00,013 scheduler_Worker-0 DEBUG [atlassian.crowd.file.DaoRefresher] Refreshing refreshable DAOs

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Jan 08, 2019 in Jira

How to Jira for designers

I’m a designer on the Jira team. For a long time, I’ve fielded questions from other designers about how they should be using Jira Software with their design team. I’ve also heard feedback from other ...

1,195 views 5 10
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you