We installed de.syracom.jira.plugins.securelogin version 1.1 to trial with Jira and Confluence.
If 2FA using the plugin is enabled for logged user, it is not possible to link wiki and jira. If I disable 2FA for the user, he is able to create new links between Wiki and JIRA and see already created links correctly.
How it can be fixed, please advice. Thank you in advance.
as in your other question, can you provide us with a few additional informations please? If you do not want them to write here, please write me to our support address and I will take care, one of our developers will take a look in your issues:
Dear Alexander, Support Team, I sent all requested details and additional questions to your team by email some days ago, but still no any updates. And our trial will expire tomorrow (25/Nov/16 ). Could you help to extend the trial for one month. We need additional time to make a final decision. Thank you in advance.
Were you able to solve this issue? I am currently testing with Confluence 6.12.1 and Jira 7.12.3. Confluence fetches its users from the Jira instance (local user directory there), so they have a shared user base. Application link is configured correctly. The issue occurs regardless whether we tick "shard set of users" in the linking process. The user has registered for Secure Login in Jira and Confluence. The issue already occurs when only Jira has 2FA enabled. Context whitelist is "/download/,/rest/".
When 2FA is not activated for Jira, then issue linking works as expected.
I am facing exactly this same problem. Can you guide me on how and what IP addresses did you add in whilelist?
Problem: I am unable to add JIRA macro in Confluence pages. It's throwing an error. This error gets resolved when I disable the 2FA.
I have JIRA & Confluence hosted on same server and on URL having different context.
2FA is working perfectly fine on both the products but is giving errors when JIRA & Confluence try to integrate with each other.
In the 'Application links' field provided on the configuration screen, should I add IP of Web Server, App Server or Firewall? or all of them?
Thank you for your request. To allow the confluence macro to communicate with Jira, you have to add the IP of your Confluence server to the "Application links" configuration in Secure Login for Jira. That way, Secure Login knows, that all requests from Confluence are whitelisted and the macro should work as expected.
But depending on your network configuration, this could not be enough to make it work as expected. An HTTP request always contains the IP address of the communication partner raising the request. In your case, Confluence is raising the request, and so it contains the IP address of your Confluence instance. But this only applies, if your Jira and Confluence instances communicate directly with each other.
If the two systems do not communicate directly with each other, and the request is going through any other network instance, like a NAT interface, a proxy server, firewall or any different kind of security appliance, the request does not contain the IP of Confluence as sender, but instead the IP of that additional instance. So if you have a proxy in place, the request includes the IP of the proxy, instead.
To make the switch of the sender transparent to the receiver, the request could or should contain a forward header. This header contains the information, which IP was the original sender of the request. Sadly there are two problems with this header:
One important security hint: If you use a proxy or something similar, please do not add the IP of it to the "application link" or "ip whitelist" configuration, because then, all requests would be whitelisted and Secure Login would be useless.
I hope this information helps, to resolve the issue, you are experiencing. If not, please add de.syracom with log level DEBUG to the log configuration of Jira and Confluence, reproduce the error and generate a support ZIP in both systems. Afterward, raise a support ticket at our Service Desk and attach the support ZIPs to it so that we can take a more in-depth look into it.
With kind regards,
Thanks @Alexander Kueken for the quick reply. Appreciate it.
Question on X-Forwarded-For. If we add that, we will receive the submitter IP address, which will be different for each user, right? So how I can use that in IP Whitelist?
And yes, you are right, JIRA & Confluence do not communicate directly. The request goes to firewall, which sends to the reverseProxy and then it goes to the application server. But we can't add web servers IP address that is used for reverseProxy because all requests would get whitelisted.
Can we use Context Whitelist (URL Filter) in this case somehow?
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs