Supporting JIRA REST API support if users are using SSO

Hi, 
We (Workboard) provide seamless Jira integration with REST API with basic authentication and it works absolutely fine for all our customers. But with our enterprise customer tier, our REST API is failing as they use the SSO login. Our REST APIs are resulting in 403 error.

 

We need to know what should we do to support this?

We have also gone through this link with no luck.

https://community.atlassian.com/t5/Confluence-questions/REST-API-behind-SAML-with-3-Legged-OAuth/qaq-p/585795

 

Also, If the user sets a password in his Jira account and then we use this username and password, will that work?

 

 

1 answer

This widget could not be displayed.
Bruno Vincent Community Champion Dec 16, 2017

Hi @Gaurav Nigam,

It really depends on your SSO solution. It should have configuration options to exclude REST URLs or include only specific user agents.

Which SSO solution/add-on do you actually use?

Thank you, Bruno!

This enterprise customer uses their own IDP. So changing at their SSO level, it would be a tedious task. Though we have requested them to explore that.

Is there any other option like supporting both username/password and SSO at the same time?

What IDP the customer is using matters less. What matters is what add-on you are using. 

I cannot speak for others, but with Kantega Single. Sign-on you can have both Kerberos and basic auth to REST at the same time. You can also limit who is offered SSO by IP white/blacklisting.

If you have any questions feel free to reach out to our support team at sso@kantega.no

Cheers,

Lars, Kantega Single Sign-on

Bruno Vincent Community Champion Dec 17, 2017

Hi @Gaurav Nigam

So, my understanding here is that this is a SAML based SSO solution. But which one is this? If we're talking about Jira Server then this must be an add-on. If we're talking about Jira Data Center, then this might be Atlassian's native solution. Or maybe we're talking about Jira Cloud here?

Thank you, Bruno, for the prompt reply.

We are requesting customer about which SAML based SSO solution they are using here.

Hello Bruno, 

I am attaching a snapshot (pls find it as an attachment) from where they can control authentication with the SSO, the person who reported the problem, confirmed for no add-on as per his knowledge. It looks like, the offering is natively integrated into Jira.

 Let me know if you need any other informationScreen Shot 2017-12-20 at 11.39.00 AM.png

Bruno Vincent Community Champion Dec 20, 2017

Hi @Gaurav Nigam

According to your screenshot, we're talking about Jira Data Center here are you're actually using Atlassian's SAML native connector: https://confluence.atlassian.com/enterprise/saml-single-sign-on-for-atlassian-data-center-applications-857050705.html

According to Atlassian's documentation, when you select the 'Use SAML as primary authentication' option, you can still use basic authentication. Did you check that your customer really uses basic auth to authenticate on the REST endpoint?

According to Atlassian's documentation, you can also use form-based authentication on a dedicated REST endpoint. My understanding here is that 'Dedicated' means that one of your nodes will take care of all the REST API traffic. Please read the 'REST API traffic' paragraph on this page for more information: https://confluence.atlassian.com/enterprise/traffic-distribution-with-atlassian-data-center-895912660.html

thank you, Bruno, it really helps in moving forward. I am connecting with the customer with this details and will try to resolve this issue. I will update it again if there are any other questions. 

Bruno Vincent Community Champion Dec 20, 2017

Sure. I read you first post again and according to what we know now, my understanding is that it should actually work if you use the username and local Jira user password in the basic auth headers.

Hello @Bruno Vincent

Thank you for all your help so far.

The customer has replied to us and unfortunately, they can not allow the user to use Jira username/password credentials. The only authentication they allow as per the security guidelines is through SAML based SSO.

Also, we can not go with setting up a dedicated node for the REST API traffic. 

Having said that, is there anyway, we can still work with Jira REST API if someone is using SAML based SSO only in Jira data center? 

 

Your further response would be of great help.

Thanks, 

Gaurav

Bruno Vincent Community Champion Dec 20, 2017

Hello @Gaurav Nigam

Well, I guess your last option is to try OAuth authentication: https://developer.atlassian.com/server/jira/platform/oauth/

However, please note

  • That this will require the end-user's interaction in a browser (see step2 in the above link). If the REST client you're talking about is a stand-alone script or some kind of bot, this won't help. In short, the reason why it requires the end-user's interaction is the OAuth protocol version implemented in Jira as of today, which is 1.0a. With OAuth 2.0 there would be other options.
  • That this might not work at all as the following thread mentions someone who cannot make it work in a Jira Data Center environment with native SAML enabled: https://community.developer.atlassian.com/t/rest-api-behind-saml-with-3-legged-oauth/3662/

Thank you @Bruno Vincent for your help.

We are going to give OAuth authentication a try. I do one question though, who will grant an access token here to access the REST API---

1. Is it Jira?

or 

2. Is it the customer's SSO service provider?

 

Let me reiterate the flow---

1. We implement the SSO and provide a page in our application to connect to Jira

2. User clicks on "connect to Jira"

3. We go through the OAuth process

4. We get the access token

5. Will this token be enough to talk to the REST API or we need to request the customer to have some changes in their SAML response (Allowing REST API or Including access token or anything else... )?

As I mentioned earlier, it's big enterprise customer, so resolving the integration would benefit other customers too in our as well as Jira platform. 

 Let me know if it makes sense for the resolution. If it is possible, we can have a quick call, I work in PST timezone. 

 

Thank you once again for all your prompt responses.

Bruno Vincent Community Champion Dec 21, 2017

Hi @Gaurav Nigam

You're welcome!

Jira will provide the OAuth access token. It requires the user interaction as the user will have to click on a 'Allow' button on Jira's UI. So the user must already be logged in Jira. If he's not, in a regular situation he will be redirected to Jira's authentication form first. In your case, he should be redirected to the SAML IdP and then, once authenticated, back again to the form showing the 'Allow' button. According to the thread on Atlassian Developer Community I mentioned, this might not work with SAML enabled. But I think you should give it a try anyway. If it fails, as it comes to be very specific to Jira Data Center edition I suggest that you or your customer open a case at Atlassian support.

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Tuesday in Jira

What modern development practices are at the heart of how your team delivers software?

Hey Community mates! Claire here from the Software Product Marketing team. We all know software development changes rapidly, and it's often tough to keep up. But from our research, we've found the h...

96 views 1 2
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you