Jira SSO (Azure AD)
Prerequisites
An Azure AD subscription.
JIRA Core and Software 6.4+ JIRA Service Desk 3.0+ installed on Windows or Linux.
JIRA server is HTTPS enabled (See Jira AWS SSL)
A supported version of the JIRA Plugin (built-in as "SSO 2.0" in recent versions of Jira)
JIRA and Azure AD can see each other via the internet enabling Jira to accept an authentication token from Azure AD
Admin credentials are set up in JIRA
WebSudo is disabled in JIRA
Test user created in the JIRA server application
Single Sign On
Configuration is required on both Azure AD and Jira.
Azure AD
Decide on AD groups to be used to control Jira access levels. You will need, at a minimum, groups to cover Jira Portal Access, Jira Agent level access and Jira Admin access (e.g. if all users are in a group called All-Users and you want every user to be able to access the Jira Portal page as a 'customer' then use that group for Jira Portal Access. Create new groups if appropriate).
To add the required JIRA SAML SSO application...
In to the Azure portal, Azure Active Directory service... Navigate to Enterprise Applications and then select All Applications.
To add new application, select New application. In the Add from the gallery section, type JIRA SAML SSO by Microsoft in the search box.
Select JIRA SAML SSO by Microsoft from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
On the JIRA SAML SSO by Microsoft application integration page, find the Manage section and select single sign-on.
On the Select a single sign-on method page, select SAML.
On the Set up single sign-on with SAML page, click the edit/pen icon for Basic SAML Configuration to edit the settings.
On the Basic SAML Configuration section, enter the values for the following fields:
Sign-on URL:
https://jiraservicedesk.yourdomain.co.uk/plugins/servlet/saml/auth
Identifier:
https://jiraservicedesk.yourdomain.co.uk
Reply URL:
https://jiraservicedesk.yourdomain.co.uk/plugins/servlet/samlconsumer
Jira
To get to the SSO setup page...
Click the Administration "cog" icon (top right, next to your avatar).
Choose "System" (bottom of dropdown list)
There is an "SSO 2.0" menu item in the left hand menu in the "General Configuration", "SECURITY".
JIT user provisioning enables user and group management to be delegated to Azure AD. When a user first logs in, any new groups (that have been set to propagate in Azure AD) that the user is member of will be created at the same time as a new Jira user. This is all that should be required for Portal users. For application access and admin privileges you will need to add those privileges to the new groups from Azure AD once they are created.
Troubleshooting
Review the logs on the Jira server...
/var/atlassian/application-data/jira/log
Bypassing SAML SSO (REST)
This method is preferred as it does not involve stopping Jira.
Assumptions
You have a non-SAML admin user configured in Confluence with a known password.
You have a REST tool able to make GET and PUT requests. These instructions use the Insomnia tool.
Check SAML Configuration
In Insomnia...
Create a new request (My Request)
Select "Basic" authentication and enter the username and password of the non-SSO admin user
Select "GET" from the dropdown in the white bar at the top. Enter https://yourJiraServer/rest/authconfig/1.0/sso
Click "Send"
Return code should be 200
The Preview should show the certificate and the values of various configuration items. We are interested in "allow-redirect-override"
Update SAML Configuration
Select "PUT" from the dropdown. Enter https://yourJiraServer/rest/authconfig/1.0/sso
Select "Basic" authentication and enter the username and password of the non-SSO admin user
In the "Body" tab select "JSON".
Paste the following...
{
"allow-redirect-override": true
}
Click "Send".
Return code should be 200
Use this URL to bypass SSO...
https://YourJiraServer/login.jsp?auth_fallback
Bypassing SAML SSO (DB)
Stop Jira
SELECT propertyentry.id
FROM propertyentry
JOIN propertystring ON propertyentry.id=propertystring.id
WHERE property_key='com.atlassian.plugins.authentication.samlconfig.allow-saml-override';
This should return an ID to be pluuged into the UPDATE below...
UPDATE propertystring SET propertyvalue = 'true' WHERE id=17074;
Start Jira
Use this URL to bypass SSO...
https://YourJiraServer/login.jsp?auth_fallback
Bibliography
SSOhttps://confluence.atlassian.com/enterprise/saml-single-sign-on-for-atlassian-data-center-applications-857050705.htmlhttps://docs.microsoft.com/en-us/azure/active-directory/saas-apps/jiramicrosoft-tutorialhttps://confluence.atlassian.com/confkb/how-to-connect-confluence-data-center-with-azure-saml-sso-996705898.htmlhttps://community.atlassian.com/t5/Jira-Questions/Connecting-JIRA-to-Azure-AD/qaq-p/573166https://confluence.atlassian.com/adminjiraserver079/managing-global-permissions-950288425.html https://confluence.atlassian.com/jirakb/bypass-saml-authentication-for-jira-data-center-869009810.htmlhttps://marketplace.atlassian.com/apps/1216096/sso-for-atlassian-server-and-data-center/version-history
JIT Provisioninghttps://confluence.atlassian.com/enterprise/jit-provisioning-how-to-test-your-attribute-mappings-1005791925.htmlhttps://confluence.atlassian.com/enterprise/jit-user-provisioning-1005342579.html
LDAPhttps://confluence.atlassian.com/adminjiraserver073/connecting-to-an-ldap-directory-861253200.html
SAML Bypasshttps://confluence.atlassian.com/jirakb/bypass-saml-authentication-for-jira-data-center-869009810.html
Confluencehttps://confluence.atlassian.com/kb/how-to-create-an-unproxied-application-link-719095740.html https://community.atlassian.com/t5/Confluence-questions/Jira-User-Directory-linked-to-Confluence-not-working/qaq-p/678862 https://confluence.atlassian.com/confkb/unable-to-connect-to-jira-for-authentication-forbidden-403-728139630.html