How to authenticate into Jira, Confluence, and Bitbucket with your AWS Application Load Balancer

Problem statement

Most Atlassian Data Center installations are hosted on AWS. That gives the option to enable the Amazon’s Application Load Balancers (ALBs) you're already using for distributing traffic among nodes to also handle authentication.

There are mainly 2 advantages to this approach.

• First, it shields the Atlassian product from all unauthenticated traffic, offering an additional layer of security and making DDoS attacks and similar threats impossible.

• Secondly, it offloads the authentication away from your instance, increasing performance even when thousands of users are logging in at the same time in peak hours.

Unfortunately, there are also several nuisances setting this up out of the box.

• Users must authenticate twice. Once, via the IdP when the request is intercepted by the AWS ALB. A second time, when the user actually reaches the Atlassian application. This can be particularly upsetting, as users need to remember to use their IdP password up front, followed by their local password.

• If you use SSO, you must setup and maintain the two configurations. SSO gets rid of the second authentication event for the user. However, it also increases complexity and makes debugging of failed authentication attempts significantly more difficult. You want to keep your application architecture as simple as possible.

Solution: Setting up seamless authentication with AWS ALB into Atlassian products

At resolution, we have published AWS ALB and Amazon Cognito Authentication, an app that creates a seamless authentication flow between the ALB, the IdP, and the Atlassian application.

• The app takes information from the OIDC tokens and token claims during the authentication exchange between the ALB and the IdP, then uses that information to log in the user into the Atlassian app.

• Users are automatically logged into Jira, Confluence or Bitbucket once they authenticate through the IdP.

Prerequisites

• Atlassian applications hosted in AWS

• An active Application Load Balancer (ALB)

• An OIDC-compliant identity provider, such as Okta, Azure AD, or GSuite. Alternatively, you can use SAML-compliant IdPs combined with Amazon Cognito user pools

Steps

1. Install AWS ALB and Amazon Cognito Authentication for Jira, Confluence, or Bitbucket (coming soon)

2. Configure your IdP and your AWS ALB. Here you have the complete setup with Azure AD, but do let us know if you need help setting up any other IdPs.

3. From within the AWS ALB Authentication app configuration in your Atlassian application, select the preset for your IdP and follow the steps of the documentation.

Save the configuration. If you run into any issues, get in touch with our support team and we’ll gladly help you set it up!