Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

  • Global
  • Personal

Recognition

  • Give kudos
  • Received
  • Given

Leaderboard

  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

How to Enable Single Logout (SLO) in Atlassian Data Center applications

What is Single Logout (SLO)

Do you always close your session in Jira when you've finished tracking your work? I seriously doubt it.

Most users regularly forget to log out of their applications when they're done using them, and Atlassian tools are certainly no exception. 

In single sign-on environments, that can be particularly true: since users only log in once, they may not be aware of how many open sessions they're running simultaneously.

That's why most SSO solutions include single logout in their offering. The principle is always the same: log out of one application, and the system will take care of shutting every other open session at the same time. Close your session in the Identity Provider (IdP), and all open applications will be automatically shut down.

Unfortunately, Single Logout is not included in the Data Center SSO features, so even if you have it set up on your Okta, Azure AD, or whatever the IdP of your choice is, users of Atlassian applications will not be benefitting from it.

Unless you want to embark into a custom-made solution, the Atlassian Marketplace offers SSO apps that can do the trick. In this article I'm going to give an example and show how you can enable SLO with resolution's SAML SSO apps (for full disclosure, resolution is my current employer).

SAML SSO is available for Jira, for Confluence, and all other main Atlassian products.

Why not logging out is dangerous

But first, let me give a short reminder of why leaving sessions open is a really bad habit from a security standpoint. 

When user sessions in Jira, Confluence, Bitbucket or any other Atlassian, you are vulnerable to at least two types of malicious attacks:

  • Session hijacking, which is relatively simple and can be achieved for example by sniffing the active session token. If successful, the attacker will have access to the Web Server.
  • One-click attacks, or Cross-Site Request Forgeries (CSRF), which trick the user into taking an action he wouldn't normally do with social engineering techniques. Yes, it's far-fetched. But if you have compliance proccesses or millionaire business approvals on Jira, someone might actually take a shot.

How to configure Single Logout in Atlassian applications

The following steps work for Jira, Confluence, Bitbucket, Bamboo, or Fisheye applications in both Data Center and Server hostings.

Step 1: Include the Single Logout URLs in the SAML Metadata

service provider settings.png

To include the SLO URLs in the SAML Metadata, simply check the box at the bottom in the Service Provider tab

There are two options here:

  • Inside the plugin: Check the corresponding option in the Service Provider tab of the configuration menu
  • In the Identity Provider: Paste this URL in the IdP's metadata:
https://<baseUrl>/plugins/servlet/samlsso/metadata?slo

Step 2: Choose your preferred option for the Logout Binding. 

Go to the Identity provider tab and choose between POST and Redirect.

binding logout.png

This step will determine the exact format for exchanging data between your IdP and your Atlassian applications.

Step 3: Load the SLO URL in resolution's app

In the same tab, make sure that the SLO URL is already loaded; if not, go ahead and set it using the format in Step 1.

Step 4: Save the configuration

Step 5: Configure the IdP

Now it's time to check the settings in your IdP to make sure it fully supports your setup.

While settings will vary for each IdP, you can see a detailed explanation here for the most common Identity Providers:

For additional details, have a look at the full documentation.

Conclusion

Single Logout is an integral component of a full SSO solution that you'll want to set up to protect your corporate assets. Resolution's SAML SSO apps will help you set it up for both Server and Data Center hostings of your Atlassian applications.

Remember that whether SLO is possible will ultimately depend of your IdP. Although leaders in the IAM landscape include this possibility, other minor providers or custom-develop solutions may not have Single Logout capabilities.

0 comments

Comment

Log in or Sign up to comment
TAGS
Community showcase
Published in Marketplace Apps & Integrations

Bitbucket Smart Commits vs. Genius Commits - What's the difference?

If you already heard about Smart Commits in Bitbucket, know that you just stumbled upon something even better (and smarter!): Genius Commits by Better DevOps Automation for Jira Data Center (+ Server...

130 views 0 2
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you