Uploaded image for project: 'SAML for Atlassian Data Center'
  1. SAML for Atlassian Data Center
  2. SAMLDC-154

Login filter doesn't use a cluster-safe configuration

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Medium Medium
    • None
    • 4.2.28, 4.3.8
    • SSO
    • None

      Issue Summary

      SSO for Atlassian Data Center 4.3.6/4.2.27 added additional security validations. In some conditions, a Jira administrator may enable the enable-authentication-fallback parameter (per Bypass SAML authentication for Jira Data Center [Jira]) but still be unable to login.

      Steps to Reproduce

      1. Create a Data Center cluster (2+ nodes) with SSO for Atlassian Data Center 4.3.6+ or 4.2.27+.
      2. Login to Node 1 and configure an SSO provider (SAML/OIDC).
      3. Disable the default product login form (username and password).
      4. Logout of Node 1.
      5. Send a PATCH HTTP request to <node-2-hostname>/rest/authconfig/1.0/sso, setting the enable-authentication-fallback parameter to true.
      6. Attempt to login to Node 1 using <node-1-hostname>/login.jsp?auth_fallback.

      Expected Results

      The product default login page displays when using the "auth_fallback" parameter. An admin can successfully log in after submitting the form with valid credentials.

      Actual Results

      The product default login page displays when using the "auth_fallback" parameter. After submitting the form with valid credentials, the user is sent to <node-1-hostname>/login.jsp with the following unformatted response body:

      <warning>
	<message>
		Login form has been disabled on this instance.
	</message>
</warning>

       

      Logs

      When trace logs for SSO for Atlassian Data Center are enabled, the following relevant data is recorded in the application logs:

      On login form page load
      2024-05-06 00:00:00,000+0000 http-nio-8080-exec-1 TRACE anonymous 1x1x1 abcdef 0.0.0.0 /login.jsp [c.a.p.a.i.w.filter.authentication.AuthenticationFilter] Not attempting external authentication, native login is the only option
      On login form submission
      2024-05-06 00:00:10,000+0000 http-nio-8080-exec-2 TRACE anonymous 2x2x2 abcdef 0.0.0.0 /login.jsp [c.a.p.a.i.basicauth.filter.DisableBasicAuthFilter] Allowing HTTP request: /login.jsp
2024-05-06 00:00:10,000+0000 http-nio-8080-exec-2 TRACE anonymous 2x2x2 abcdef 0.0.0.0 /login.jsp [c.a.p.a.i.w.filter.loginform.DisableNativeLoginAuthFilter] Blocking HTTP request - Native Login is not allowed: /login.jsp

      Workaround

      After sending the PATCH REST API request, perform a rolling restart to flush the configuration cache.

        1. error-page.png
          error-page.png
          549 kB

              e5b980069724 Rostyslav Shurukhin
              1353e2e9fd2f Benjamin S
              Votes:
              2 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: