-
Suggestion
-
Resolution: Fixed
NOTE: This suggestion is for JIRA Service Desk Server. Using JIRA Service Desk Cloud? See the corresponding suggestion.
We use a custom Seraph authenticator / Seraph config to authenticate users against an external Single Sign On process to log in to our JIRA instance.
Standard pages within JIRA (e.g., browsing to a specific issue) correctly respect the Seraph config and redirect unauthenticated users according to the Seraph login.url1 parameter.
Service Desk does not respect this parameter, and instead, prompts unauthenticated users to log in via it's own custom login page (e.g., <server>/servicedesk/customer/portal/1/user/login).
This is problematic for us. Our users who land on the Service Desk provided login page are stuck; their accounts in JIRA do not have passwords set up, so they can never successfully login on this page.
Steps to reproduce expected behavior:
1. Configure JIRA to use a seraph-config.xml Seraph configuration that includes a value for the login.url parameter.
2. Be logged OUT of JIRA.
3. Browse to a secure page not provided by Service Desk, e.g., <server>/browse/DESK-2.
4. Notice that JIRA redirects you to the login page provided in the Seraph configuration
Steps to reproduce wrong behavior:
1. Configure JIRA to use a seraph-config.xml Seraph configuration that includes a value for the login.url parameter.
2. Be logged OUT of JIRA.
3. Browse to a secure page provided by Service Desk, e.g., <server>/servicedesk/customer/portal/1/DESK-2.
4. Notice that JIRA does not redirect you to the login page provided in the Seraph configuration
Attached, please find three screenshots:
- A snippet of our seraph-config.xml file
- Network activity when starting un-authenticated, going to a "standard" JIRA page, and having JIRA redirect the user according to the Seraph configuration
- Network activity when starting un-authenticated, going to a Service Desk provided page, and having JIRA (wrongly) redirect the user – not to the Seraph specified location – but to a custom Service Desk login page
- is related to
-
- Closed
-
- Gathering Interest
-
- Gathering Interest
- relates to
-
- Closed
![[Extranet] Page](/images/icons/generic_link_16.png "[Extranet] Page"){kind=icon}
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[JSDSERVER-1025] Service Desk login does NOT respect use of custom Seraph Authenticator
If you see above there are other people that have mentioned this request/issue is NOT resolved. It has not been fixed. No matter what I am forced to the Customer Portal login prompt and not authenticating through seraph-config.xml I have searched ALL over here and answers.atlassian.com and NO WHERE does it mention how to fix this
This has been fixed since 3.0.2 and will respect the seraph-config.xml.
If this is not your experience, I would recommend raising a support request to assist with investigations.
Regards
Matt
We also have a custom Seraph authenticator and this issue is preventing us from using JSD. This is over a year old and still nothing done about it. Is this still being considered/worked?
Hi juzer
Could you please raise a new issue (bug) for the logout semantics not being respected?
Regards
Matt
JIRA Service Desk developer
Juzer Ali
added a comment - I am trying to integrate our company's SSO with Jira Service Desk. I am using Jira Service Desk 3.1.2. login.url works just fine. But JIRA Service Desk customer portal does not seem to respect semantics of logout.url. The Seraph documentation states that
<!-- URL for logging out.
- If relative, Seraph just redirects to this URL, which is responsible for calling Authenticator.logout().
- If absolute (eg. SSO applications), Seraph calls Authenticator.logout() and redirects to the URL
-->
However, clicking logout on JSD customer portal redirects to the provided absolute url very well, but it does NOT logout the user from Jira. Upon inspecting the logout link, I can see that its just an anchor tag with an HREF to our company's logout link. No request goes to JIRA to attempt to logout the user from JIRA (Service Desk).
P.S.: Logout link works fine from JIRA app (e.g. not Service Desk).
Juzer Ali
added a comment - I am trying to integrate our company's SSO with Jira Service Desk. I am using Jira Service Desk 3.1.2. login.url works just fine. But JIRA Service Desk customer portal does not seem to respect semantics of logout.url. The Seraph documentation states that
<!-- URL for logging out.
If relative, Seraph just redirects to this URL, which is responsible for calling Authenticator.logout().
If absolute (eg. SSO applications), Seraph calls Authenticator.logout() and redirects to the URL
-->
However, clicking logout on JSD customer portal redirects to the provided absolute url very well, but it does NOT logout the user from Jira. Upon inspecting the logout link, I can see that its just an anchor tag with an HREF to our company's logout link. No request goes to JIRA to attempt to logout the user from JIRA (Service Desk).
P.S.: Logout link works fine from JIRA app (e.g. not Service Desk). I also think that this issue is not fixed.
We used a workaround wich temporarily added sd-customers to a group with JIRA-Core-access and removed them after authentication, but this is no longer working with JIRA 7.0.5.
The link above about how to integrate the SSO provider leads to a "page not found" error.
Some more explanation what to do in the Authenticator to make it work would be essential for us.
This issue was incorrectly marked as done.
While JSD Portal will work with SSO providers such as Crowd, it does not work with SSO providers that require a "login page" redirect.
As such we cant consider this issue closed.
"Single Sign On to the JSD customer portal has been confirmed to worth Seraph security providers such as Atlassian Crowd. Please see this page on how to integrate your SSO provider".
I would be just as happy if I could exclude our two factor authentication from our JSD portal since its not supposed to be available outside our network anyways. We only use it for JIRA for our admin users that want to work outside our offices.
I dont know if this issue and my issue with Duo Security is the exact same problem though.
Should I create a separate ticket for Duo Security?
The way that it works for the customer portal, is to retrieve the link login url from the seraph config.
Having this, id it does not start with the standard JIRA value of /login.jsp? then it will perform a redirect to the configured value.
However if the url still begins with /login.jsp? then it assumes JIRA login is used, and will therefore redirect to the customer portal login.
Hope this helps, understand what might be occurring.
Matt