-
Suggestion
-
Resolution: Unresolved
-
None
-
85
-
109
-
Problem Definition
When implementing SAML either through JDC or through a vendor plugin, the net result is you have to turn off websudo because you can't get websudo and SAML to work. The effect is you can go straight into administration functions without confirmation that you should. This poses a security risk.
Suggested Solution
I am requesting an enhancement to allow websudo to work with both your JDC SAML setup as well as to allow websudo to work with other marketplace SAML plugins.
- is related to
-
- Gathering Interest
- relates to
-
- Gathering Interest
- depends on
-
![[JIRA Server (Bulldog)] Story - Created by Jira Software - do not edit or delete. Issue type for a user story.](https://bulldog.internal.atlassian.com/images/icons/issuetypes/story.svg "[JIRA Server (Bulldog)] Story - Created by Jira Software - do not edit or delete. Issue type for a user story.")
AAUTH-20
You do not have permission to view this issue
- links to
- mentioned in
-
![[Atlassian Documentation] Page](/images/icons/generic_link_16.png "[Atlassian Documentation] Page")
Page
No Confluence page found with the given URL.
-
Page Loading...
-
-
-
-
-
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[JRASERVER-69311] Ability to have the Websudo functionality working with SAML / SSO
It is my understanding that websudo feature covers Project Admin functions as well as System Admin functions. Project Admin rights are assigned by a project role; is there a reason it also requires a second login? Getting SSO to work with websudo resolves all this, but if this doesn't get resolved, separating to two types of 'admin' roles would be beneficial.
If your SSO-account is linked to a non-privileged account, you have an infinite loop. The websudo forwards to the SSO-provider, the identity confirmation comes back, the permission check requires the websudo, the websudo forwards to the SSO-provider....and so on.
Simply turn off auto-forwarding for the websudo. This fixes the problem.
I am not sure why this issue is with low priority. When giving a support for a functionality like SAML either give full implementation or don't give it or at least mention in the document clearly that for admin login disable websudo and what other places it will not work.
This really needs to be addressed. Whats the point of giving us JIT SSO? We either have to support something else to for admins to access the console, or we turn of a security feature. This is a glaring hole in the JIT SSO 2.0 feature, that almost invalidates its existence entirely.
With Jira Data Center 8.5.4 websudo and Okta using the standard Data Center SSO integration seems to work for us. No plugins used
Looking forward for Atlassian to add this feature in their roadmap.
This also affects us, please add https://support.atlassian.com/requests/PSSRV-123566/ to the affected support ticket count.
It's also scary to see the reporter is inactive - could we get these "needs triage" / "gathering interest" cases with an inactive reporter reassigned to the Product Owner(s) for the respective products, please? It doesn't seem like this is getting enough visibility based on updates.