Uploaded image for project: 'Jira Service Management Data Center'
  1. Jira Service Management Data Center
  2. JSDSERVER-630

SSO integration with Jira Service Desk

XMLWordPrintable

    • 115
    • 43
    • We collect Jira Service Desk feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      NOTE: This suggestion is for JIRA Service Desk Server. Using JIRA Service Desk Cloud? See the corresponding suggestion.

      Currently it is not possible to integrate sso with JIRA Service Desk, it would be better if can provide this functionality so that customer does not need to sign in to the customer service portal in order to raise a request.

          Form Name

            [JSDSERVER-630] SSO integration with Jira Service Desk

            Charlie Marriott added a comment - - edited

            In October 2016, we launched an add-on that would allow our Jira Service Desk Data Center offering to support SAML single sign-on. We've worked hard to bundle this with Jira Service Desk so that it works straight out of the box. From Jira Service Desk 3.3, you can now link your Data Center licensed instance to your existing supported Identity Provider (IdP), and provide your users with a single sign-on experience. This reduces the number of passwords a user needs to remember, and provides extra security for your instance.

            Please note that this is only available for Jira Service Desk Data Center, not Jira Service Desk Server.

            SAML SSO for JIRA Data Center applications & Release notes

            Charlie Marriott added a comment - - edited In October 2016, we launched an add-on that would allow our Jira Service Desk Data Center offering to support SAML single sign-on. We've worked hard to bundle this with Jira Service Desk so that it works straight out of the box. From Jira Service Desk 3.3, you can now  link your Data Center licensed instance  to your existing supported Identity Provider (IdP), and provide your users with a single sign-on experience. This reduces the number of passwords a user needs to remember, and provides extra security for your instance. Please note that this is only available for Jira Service Desk Data Center, not Jira Service Desk Server. SAML SSO for JIRA Data Center applications  &  Release notes

            shyam.bhojwani added a comment -

            Didn't work for us.

            shyam.bhojwani added a comment - Didn't work for us.

            Matthieu Luet added a comment -

            Thanks Matt Zuba, I just applied your modification on our instance and it worked. awesome work !

            Matthieu Luet added a comment - Thanks Matt Zuba, I just applied your modification on our instance and it worked. awesome work !

            Matt Zuba added a comment - - edited

            I've been able to mostly solve this for our Server implementation that is using Okta's Jira Authenticator.  Here are the basic steps:

            1. Edit  JIRA_INSTALL/conf/context.xml
            2. Add the following line to this file. Place this above the line containing </Context>
            <Valve className="org.apache.catalina.valves.rewrite.RewriteValve" />
            1. Create a file named rewrite.config and place it in the JIRA_INSTALL/atlassian-jira/WEB-INF directory.
              1. The final path should be JIRA_INSTALL/atlassian-jira/WEB-INF/rewrite.config
              2. The user that JIRA runs as must be able to read this file. This file should have the same permissions as the other files in WEB-INF directory.
            2. Add the following lines to this file:
            RewriteCond %{REQUEST_URI} ^/servicedesk/customer(/.*)?/user/login [NC] 
RewriteCond %{QUERY_STRING} ^destination=(.*)$ 
RewriteRule .* /okta_login.jsp?RelayState=\%2Fservicedesk\%2Fcustomer\%2F%1 [NE,R=307,L] 

RewriteCond %{REQUEST_URI} ^/servicedesk/customer(/.*)?/user/login [NC] 
RewriteRule .* /okta_login.jsp?RelayState=\%2Fservicedesk\%2Fcustomer\%2Fportals [NE,R=307,L]

            The first rewrite cond/rule pair captures requests that have a destination parameter and the second captures requests without.  Both redirect to the okta_login.jsp page with the RelayState set so that when okta_login.jsp does the POST over to Okta, it will carry the relay state and return the user to the proper page after login.

            For those not using Okta and/or their authenticator, maybe this will give some ideas.

            I'll caveat this with the fact that my org's Jira instance is in its infancy, barely into production use, so I'm not sure if this covers any edge cases that might crop up in URLs, but I'd love any feedback or corrections if anyone has them.  For why we're using Okta's integration and not others on the Marketplace, the reason is simple - I prefer Okta's method of provisioning and assigning groups over some of the other solutions out there (User Sync, for example).  I don't mind having to modify files during upgrades, it's very little and the above will just be added to those steps.

            Matt Zuba added a comment - - edited I've been able to mostly solve this for our Server implementation that is using Okta's Jira Authenticator .  Here are the basic steps: Edit   JIRA_INSTALL/conf/context.xml Add the following line to this file. Place this above the line containing  </Context> <Valve className="org.apache.catalina.valves.rewrite.RewriteValve" /> Create a file named rewrite.config and place it in the JIRA_INSTALL/atlassian-jira/WEB-INF directory. The final path should be JIRA_INSTALL/atlassian-jira/WEB-INF/rewrite.config The user that JIRA runs as must be able to read this file. This file should have the same permissions as the other files in WEB-INF directory. Add the following lines to this file: RewriteCond %{REQUEST_URI} ^/servicedesk/customer(/.*)?/user/login [NC] RewriteCond %{QUERY_STRING} ^destination=(.*)$ RewriteRule .* /okta_login.jsp?RelayState=\%2Fservicedesk\%2Fcustomer\%2F%1 [NE,R=307,L] RewriteCond %{REQUEST_URI} ^/servicedesk/customer(/.*)?/user/login [NC] RewriteRule .* /okta_login.jsp?RelayState=\%2Fservicedesk\%2Fcustomer\%2Fportals [NE,R=307,L] The first rewrite cond/rule pair captures requests that have a destination parameter and the second captures requests without.  Both redirect to the okta_login.jsp page with the RelayState set so that when okta_login.jsp does the POST over to Okta, it will carry the relay state and return the user to the proper page after login. For those not using Okta and/or their authenticator, maybe this will give some ideas. I'll caveat this with the fact that my org's Jira instance is in its infancy, barely into production use, so I'm not sure if this covers any edge cases that might crop up in URLs, but I'd love any feedback or corrections if anyone has them.  For why we're using Okta's integration and not others on the Marketplace, the reason is simple - I prefer Okta's method of provisioning and assigning groups over some of the other solutions out there (User Sync, for example).  I don't mind having to modify files during upgrades, it's very little and the above will just be added to those steps.

            David S added a comment -

            There are requests for SAML integration dating back to 2007. Atlassian will never add it.
            Atlassian recommends to use Third-party Plugins.

            David S added a comment - There are requests for SAML integration dating back to 2007. Atlassian will never add it. Atlassian recommends to use Third-party Plugins.

            Avinash Singh added a comment -

            Is there any workaround that we an perform for this ? 

            We are redirecting any service desk portal url requests to the base Jira url so users get single signed on, but we need to send them back to their initial request url after being signed on. How can we do this ?

             

            Avinash Singh added a comment - Is there any workaround that we an perform for this ?  We are redirecting any service desk portal url requests to the base Jira url so users get single signed on, but we need to send them back to their initial request url after being signed on. How can we do this ?  

            Martina Riedel added a comment -

            @Avinash Singh

            We have in our 7.13 Datacenter instance Settings - System - SAML Authentication. It used to be a separate free Atlassian add-on, but now it is ootb as far as I know. I googled and found https://confluence.atlassian.com/enterprise/adding-saml-integration-to-your-existing-user-management-infrastructure-861244976.html. Looks like it is datacenter only.

            hth

            Martina Riedel added a comment - @Avinash Singh We have in our 7.13 Datacenter instance Settings - System - SAML Authentication. It used to be a separate free Atlassian add-on, but now it is ootb as far as I know. I googled and found  https://confluence.atlassian.com/enterprise/adding-saml-integration-to-your-existing-user-management-infrastructure-861244976.html . Looks like it is datacenter only. hth

            Avinash Singh added a comment -

            Thanks @Martina Riedel, where is this setting that you are referring to ? Or is it through a plugin ?

            Avinash Singh added a comment - Thanks @Martina Riedel, where is this setting that you are referring to ? Or is it through a plugin ?

            Martina Riedel added a comment - - edited

            btw. in 7.13.x the out-of-the box- SAML SSO has a switch that makes it work for us. This issue needs updating I think.

            Service Desk settings

            Include customer logins
            If checked customers using Service Desk will also log in using SAML

            Martina Riedel added a comment - - edited btw. in 7.13.x the out-of-the box- SAML SSO has a switch that makes it work for us. This issue needs updating I think. Service Desk settings Include customer logins If checked customers using Service Desk will also log in using SAML

            Avinash Singh added a comment -

            We have Jira Software and Jira Service Desk on the same instance. We have integrated with OKTA to provide SAML and SSO capabilities.  Users accessing a service desk url when unauthenticated bypasses the Okta authentication and provides a services desk portal login, which is a security problem for us.  

            Avinash Singh added a comment - We have Jira Software and Jira Service Desk on the same instance. We have integrated with OKTA to provide SAML and SSO capabilities.  Users accessing a service desk url when unauthenticated bypasses the Okta authentication and provides a services desk portal login, which is a security problem for us.  

              Unassigned Unassigned
              dchua Daryl Chuah (Inactive)
              Votes:
              198 Vote for this issue
              Watchers:
              131 Start watching this issue

                Created:
                Updated:
                Resolved: