Issue Summary

We are facing an issue when user have a bookmarked page (JIRA admin pages e.g https://<base-url>/secure/admin/ViewApplicationProperties.jspa) and when they directly try to launch the bookmarked URL we see that there is a redirection between sign-on url and Jira url. This redirection keeps going on in a loop. The only way to come out of it is by closing the browser.

Note: Disable websudo does not solve the loop.

Use Case: Admin users sometimes need to sign in with a non-admin user account for test purposes. Eventually, an admin page may be incorrectly accessed, incurring in a loop solved only when closing the browser.

Steps to Reproduce

• SAML enabled:
  • We used Onelogin and SSO 2.0 on Jira
  • Jira Internal Directory
  • We did create a domain on https://www.onelogin.com/developer-signup
  • We set a username matching Jira's username (NameID as Username)
• Bookmark an URL from the admin secure section, for instance the user management at http://<jira base URL>/secure/admin/user/UserBrowser.jspa
• Open a new incognito browser and sign in using a non-admin user
• Copy and Paste the URL bookmarked on 2 

Expected Results

• Permission denied error message, landing at the user dashboard page
  or
• Permission denied error message, landing at the login page with the URL cleaned

Actual Results

• There is a redirection between sign-on url and Jira url. This redirection keeps going on in a loop.
• We can observe the following sequence of URLs:

  http://<jira base URL>/login.jsp?permissionViolation=true&os_destination=%2Fsecure%2Fadmin%2Fuser%2FUserBrowser.jspa%3F&page_caps=&user_role=ADMIN
  http://<jira base URL>/plugins/servlet/sso-logout
  http://<jira base URL>/login.jsp?permissionViolation=true&os_destination=%2Fsecure%2Fadmin%2Fuser%2FUserBrowser.jspa%3F&page_caps=&user_role=ADMIN
  

Workaround

• Close the browser to interrupt the loop
• Edit the bookmark, removing the restricted page