-
Suggestion
-
Resolution: Unresolved
-
Low
-
None
-
None
-
None
-
None
Summary
Currently a JIRA admin has to get and update IdP configuration information manually. This is inconvenient in case the information gets modified frequently on the IdP side. In such a case, if the admin fails to update the SAML configuration in time, users may not be able to log in.
Use Case
A typical use case is the X.509 Certificate gets renewed from time to time on the IdP side and a JIRA admin has to get and update it in the SAML configuration form. Failing to do so, the login request will be considered Bad (due to certificate mismatch) and users see this message in the GUI when trying to log in:
We can't log you in right now This may be for a variety of reasons, we suggest trying again. If that doesn't work, contact your JIRA administrator for help.
Environment
JIRA Data Center 7.4.x and SAML for Atlassian Data Center 2.0.3.
Suggestion
JIRA should be able to detect changes from the IdP and have the metadata updated automatically to facilitate the integration process.
Per default ADFS rotates the Token Signing certificate once a year. After the switch it is no longer possible for any user to login as SAML is the only active IdP.
For fixing the the certificate mismatch it is required to enable auth_fallback and login with an adminsitrative user and replace the certificate manually. During this time no one is able to login.
Observing the metadata endpoint would allow Jira and Confluence fetch the new certificate before the rollover happens and does not require an admin to switch the certificate manually.