We couldn't load all Actvitity tabs. Refresh the page to try again.
If the problem persists, contact your Jira admin.
IMPORTANT: JAC is a Public system and anyone on the internet will be able to view the data in the created JAC tickets. Please don’t include Customer or Sensitive data in the JAC ticket.

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Medium Medium
    • None
    • 4.2.28, 4.3.8
    • SSO
    • None

      Issue Summary

      SSO for Atlassian Data Center 4.3.6/4.2.27 added additional security validations. In some conditions, a Jira administrator may enable the enable-authentication-fallback parameter (per Bypass SAML authentication for Jira Data Center [Jira]) but still be unable to login.

      Steps to Reproduce

      1. Create a Data Center cluster (2+ nodes) with SSO for Atlassian Data Center 4.3.6+ or 4.2.27+.
      2. Login to Node 1 and configure an SSO provider (SAML/OIDC).
      3. Disable the default product login form (username and password).
      4. Logout of Node 1.
      5. Send a PATCH HTTP request to <node-2-hostname>/rest/authconfig/1.0/sso, setting the enable-authentication-fallback parameter to true.
      6. Attempt to login to Node 1 using <node-1-hostname>/login.jsp?auth_fallback.

      Expected Results

      The product default login page displays when using the "auth_fallback" parameter. An admin can successfully log in after submitting the form with valid credentials.

      Actual Results

      The product default login page displays when using the "auth_fallback" parameter. After submitting the form with valid credentials, the user is sent to <node-1-hostname>/login.jsp with the following unformatted response body:

      <warning>
      	<message>
      		Login form has been disabled on this instance.
      	</message>
      </warning>
      

       

      Logs

      When trace logs for SSO for Atlassian Data Center are enabled, the following relevant data is recorded in the application logs:

      On login form page load
      2024-05-06 00:00:00,000+0000 http-nio-8080-exec-1 TRACE anonymous 1x1x1 abcdef 0.0.0.0 /login.jsp [c.a.p.a.i.w.filter.authentication.AuthenticationFilter] Not attempting external authentication, native login is the only option
      
      On login form submission
      2024-05-06 00:00:10,000+0000 http-nio-8080-exec-2 TRACE anonymous 2x2x2 abcdef 0.0.0.0 /login.jsp [c.a.p.a.i.basicauth.filter.DisableBasicAuthFilter] Allowing HTTP request: /login.jsp
      2024-05-06 00:00:10,000+0000 http-nio-8080-exec-2 TRACE anonymous 2x2x2 abcdef 0.0.0.0 /login.jsp [c.a.p.a.i.w.filter.loginform.DisableNativeLoginAuthFilter] Blocking HTTP request - Native Login is not allowed: /login.jsp
      

      Workaround

      After sending the PATCH REST API request, perform a rolling restart to flush the configuration cache.

            Loading...
            IMPORTANT: JAC is a Public system and anyone on the internet will be able to view the data in the created JAC tickets. Please don’t include Customer or Sensitive data in the JAC ticket.

              • Icon: Bug Bug
              • Resolution: Unresolved
              • Icon: Medium Medium
              • None
              • 4.2.28, 4.3.8
              • SSO
              • None

                Issue Summary

                SSO for Atlassian Data Center 4.3.6/4.2.27 added additional security validations. In some conditions, a Jira administrator may enable the enable-authentication-fallback parameter (per Bypass SAML authentication for Jira Data Center [Jira]) but still be unable to login.

                Steps to Reproduce

                1. Create a Data Center cluster (2+ nodes) with SSO for Atlassian Data Center 4.3.6+ or 4.2.27+.
                2. Login to Node 1 and configure an SSO provider (SAML/OIDC).
                3. Disable the default product login form (username and password).
                4. Logout of Node 1.
                5. Send a PATCH HTTP request to <node-2-hostname>/rest/authconfig/1.0/sso, setting the enable-authentication-fallback parameter to true.
                6. Attempt to login to Node 1 using <node-1-hostname>/login.jsp?auth_fallback.

                Expected Results

                The product default login page displays when using the "auth_fallback" parameter. An admin can successfully log in after submitting the form with valid credentials.

                Actual Results

                The product default login page displays when using the "auth_fallback" parameter. After submitting the form with valid credentials, the user is sent to <node-1-hostname>/login.jsp with the following unformatted response body:

                <warning>
                	<message>
                		Login form has been disabled on this instance.
                	</message>
                </warning>
                

                 

                Logs

                When trace logs for SSO for Atlassian Data Center are enabled, the following relevant data is recorded in the application logs:

                On login form page load
                2024-05-06 00:00:00,000+0000 http-nio-8080-exec-1 TRACE anonymous 1x1x1 abcdef 0.0.0.0 /login.jsp [c.a.p.a.i.w.filter.authentication.AuthenticationFilter] Not attempting external authentication, native login is the only option
                
                On login form submission
                2024-05-06 00:00:10,000+0000 http-nio-8080-exec-2 TRACE anonymous 2x2x2 abcdef 0.0.0.0 /login.jsp [c.a.p.a.i.basicauth.filter.DisableBasicAuthFilter] Allowing HTTP request: /login.jsp
                2024-05-06 00:00:10,000+0000 http-nio-8080-exec-2 TRACE anonymous 2x2x2 abcdef 0.0.0.0 /login.jsp [c.a.p.a.i.w.filter.loginform.DisableNativeLoginAuthFilter] Blocking HTTP request - Native Login is not allowed: /login.jsp
                

                Workaround

                After sending the PATCH REST API request, perform a rolling restart to flush the configuration cache.

                        e5b980069724 Rostyslav Shurukhin (Inactive)
                        1353e2e9fd2f Benjamin S
                        Votes:
                        2 Vote for this issue
                        Watchers:
                        6 Start watching this issue

                          Created:
                          Updated:

                            e5b980069724 Rostyslav Shurukhin (Inactive)
                            1353e2e9fd2f Benjamin S
                            Affected customers:
                            2 This affects my team
                            Watchers:
                            6 Start watching this issue

                              Created:
                              Updated: