Supporting JIRA REST API support if users are using SSO

Thank you, Bruno!

This enterprise customer uses their own IDP. So changing at their SSO level, it would be a tedious task. Though we have requested them to explore that.

Is there any other option like supporting both username/password and SSO at the same time?

What IDP the customer is using matters less. What matters is what add-on you are using. 

I cannot speak for others, but with Kantega Single. Sign-on you can have both Kerberos and basic auth to REST at the same time. You can also limit who is offered SSO by IP white/blacklisting.

If you have any questions feel free to reach out to our support team at sso@kantega.no

Cheers,

Lars, Kantega Single Sign-on

Hi @Gaurav Nigam

So, my understanding here is that this is a SAML based SSO solution. But which one is this? If we're talking about Jira Server then this must be an add-on. If we're talking about Jira Data Center, then this might be Atlassian's native solution. Or maybe we're talking about Jira Cloud here?

Thank you, Bruno, for the prompt reply.

We are requesting customer about which SAML based SSO solution they are using here.

Hello Bruno, 

I am attaching a snapshot (pls find it as an attachment) from where they can control authentication with the SSO, the person who reported the problem, confirmed for no add-on as per his knowledge. It looks like, the offering is natively integrated into Jira.

 Let me know if you need any other information. 

Hi @Gaurav Nigam

According to your screenshot, we're talking about Jira Data Center here are you're actually using Atlassian's SAML native connector: https://confluence.atlassian.com/enterprise/saml-single-sign-on-for-atlassian-data-center-applications-857050705.html

According to Atlassian's documentation, when you select the 'Use SAML as primary authentication' option, you can still use basic authentication. Did you check that your customer really uses basic auth to authenticate on the REST endpoint?

According to Atlassian's documentation, you can also use form-based authentication on a dedicated REST endpoint. My understanding here is that 'Dedicated' means that one of your nodes will take care of all the REST API traffic. Please read the 'REST API traffic' paragraph on this page for more information: https://confluence.atlassian.com/enterprise/traffic-distribution-with-atlassian-data-center-895912660.html

thank you, Bruno, it really helps in moving forward. I am connecting with the customer with this details and will try to resolve this issue. I will update it again if there are any other questions. 

Sure. I read you first post again and according to what we know now, my understanding is that it should actually work if you use the username and local Jira user password in the basic auth headers.

Hello @Bruno Vincent, 

Thank you for all your help so far.

The customer has replied to us and unfortunately, they can not allow the user to use Jira username/password credentials. The only authentication they allow as per the security guidelines is through SAML based SSO.

Also, we can not go with setting up a dedicated node for the REST API traffic. 

Having said that, is there anyway, we can still work with Jira REST API if someone is using SAML based SSO only in Jira data center? 

Your further response would be of great help.

Thanks, 

Gaurav

Hello @Gaurav Nigam

Well, I guess your last option is to try OAuth authentication: https://developer.atlassian.com/server/jira/platform/oauth/

However, please note

• That this will require the end-user's interaction in a browser (see step2 in the above link). If the REST client you're talking about is a stand-alone script or some kind of bot, this won't help. In short, the reason why it requires the end-user's interaction is the OAuth protocol version implemented in Jira as of today, which is 1.0a. With OAuth 2.0 there would be other options.
• That this might not work at all as the following thread mentions someone who cannot make it work in a Jira Data Center environment with native SAML enabled: https://community.developer.atlassian.com/t/rest-api-behind-saml-with-3-legged-oauth/3662/

Thank you @Bruno Vincent for your help.

We are going to give OAuth authentication a try. I do one question though, who will grant an access token here to access the REST API---

1. Is it Jira?

or 

2. Is it the customer's SSO service provider?

Let me reiterate the flow---

1. We implement the SSO and provide a page in our application to connect to Jira

2. User clicks on "connect to Jira"

3. We go through the OAuth process

4. We get the access token

5. Will this token be enough to talk to the REST API or we need to request the customer to have some changes in their SAML response (Allowing REST API or Including access token or anything else... )?

As I mentioned earlier, it's big enterprise customer, so resolving the integration would benefit other customers too in our as well as Jira platform. 

 Let me know if it makes sense for the resolution. If it is possible, we can have a quick call, I work in PST timezone. 

Thank you once again for all your prompt responses.

Hi @Gaurav Nigam

You're welcome!

Jira will provide the OAuth access token. It requires the user interaction as the user will have to click on a 'Allow' button on Jira's UI. So the user must already be logged in Jira. If he's not, in a regular situation he will be redirected to Jira's authentication form first. In your case, he should be redirected to the SAML IdP and then, once authenticated, back again to the form showing the 'Allow' button. According to the thread on Atlassian Developer Community I mentioned, this might not work with SAML enabled. But I think you should give it a try anyway. If it fails, as it comes to be very specific to Jira Data Center edition I suggest that you or your customer open a case at Atlassian support.