We (Workboard) provide seamless Jira integration with REST API with basic authentication and it works absolutely fine for all our customers. But with our enterprise customer tier, our REST API is failing as they use the SSO login. Our REST APIs are resulting in 403 error.
We need to know what should we do to support this?
We have also gone through this link with no luck.
Also, If the user sets a password in his Jira account and then we use this username and password, will that work?
What IDP the customer is using matters less. What matters is what add-on you are using.
I cannot speak for others, but with Kantega Single. Sign-on you can have both Kerberos and basic auth to REST at the same time. You can also limit who is offered SSO by IP white/blacklisting.
If you have any questions feel free to reach out to our support team at email@example.com
Lars, Kantega Single Sign-on
So, my understanding here is that this is a SAML based SSO solution. But which one is this? If we're talking about Jira Server then this must be an add-on. If we're talking about Jira Data Center, then this might be Atlassian's native solution. Or maybe we're talking about Jira Cloud here?
I am attaching a snapshot (pls find it as an attachment) from where they can control authentication with the SSO, the person who reported the problem, confirmed for no add-on as per his knowledge. It looks like, the offering is natively integrated into Jira.
Let me know if you need any other information.
According to your screenshot, we're talking about Jira Data Center here are you're actually using Atlassian's SAML native connector: https://confluence.atlassian.com/enterprise/saml-single-sign-on-for-atlassian-data-center-applications-857050705.html
According to Atlassian's documentation, when you select the 'Use SAML as primary authentication' option, you can still use basic authentication. Did you check that your customer really uses basic auth to authenticate on the REST endpoint?
According to Atlassian's documentation, you can also use form-based authentication on a dedicated REST endpoint. My understanding here is that 'Dedicated' means that one of your nodes will take care of all the REST API traffic. Please read the 'REST API traffic' paragraph on this page for more information: https://confluence.atlassian.com/enterprise/traffic-distribution-with-atlassian-data-center-895912660.html
Hello @Bruno Vincent,
Thank you for all your help so far.
The customer has replied to us and unfortunately, they can not allow the user to use Jira username/password credentials. The only authentication they allow as per the security guidelines is through SAML based SSO.
Also, we can not go with setting up a dedicated node for the REST API traffic.
Having said that, is there anyway, we can still work with Jira REST API if someone is using SAML based SSO only in Jira data center?
Your further response would be of great help.
Hello @Gaurav Nigam
Well, I guess your last option is to try OAuth authentication: https://developer.atlassian.com/server/jira/platform/oauth/
However, please note
Thank you @Bruno Vincent for your help.
We are going to give OAuth authentication a try. I do one question though, who will grant an access token here to access the REST API---
1. Is it Jira?
2. Is it the customer's SSO service provider?
Let me reiterate the flow---
1. We implement the SSO and provide a page in our application to connect to Jira
2. User clicks on "connect to Jira"
3. We go through the OAuth process
4. We get the access token
5. Will this token be enough to talk to the REST API or we need to request the customer to have some changes in their SAML response (Allowing REST API or Including access token or anything else... )?
As I mentioned earlier, it's big enterprise customer, so resolving the integration would benefit other customers too in our as well as Jira platform.
Let me know if it makes sense for the resolution. If it is possible, we can have a quick call, I work in PST timezone.
Thank you once again for all your prompt responses.
Jira will provide the OAuth access token. It requires the user interaction as the user will have to click on a 'Allow' button on Jira's UI. So the user must already be logged in Jira. If he's not, in a regular situation he will be redirected to Jira's authentication form first. In your case, he should be redirected to the SAML IdP and then, once authenticated, back again to the form showing the 'Allow' button. According to the thread on Atlassian Developer Community I mentioned, this might not work with SAML enabled. But I think you should give it a try anyway. If it fails, as it comes to be very specific to Jira Data Center edition I suggest that you or your customer open a case at Atlassian support.
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
We're bringing product updates and pro tips on teamwork to ten cities around the world.Save your spot