Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Problem

We've noticed that if we log in using SSO to our ADFS with a jira-administrator (or confluence) user, when we try to go to an administration page, we are prompted to re-enter the user password for sudo, then an error is returned.

 This only happens when the Jira/Confluence User in Question is not in the local User Directory and authentication against the remote directory does not work.

A typical case would be a sync'd Active Directory but direct authentication against AD doesn't work (only via ADFS).

The error you may see looks like this:

The error page is /secure/admin/WebSudoAuthenticate.jspa
The error is

Technical details

Log's referral number: 057a7ebe-80fc-419a-8a6a-0416afd26961

Cause

Referer URL: /secure/admin/ViewApplicationProperties.jspa

com.atlassian.crowd.exception.runtime.OperationFailedException

Solution

The reason this is happening is that the Atlassian . Why the SAML Single Sign On plugin does not perform the authentication process ?

Solution

The WebSudo component does not use the SAML SSO Plugin for authentication. If you run into this error then you You essentially have three options:

...

two options. 


  1. Disable WebSudo: https://confluence.atlassian.com/jira/configuring-secure-administrator-sessions-231343939.html#ConfiguringSecureAdministratorSessions-DisablingSecureAdministratorSessions
     
  2. Use local Admin Users, with a local password in the Jira/Confluence Database


A little more background:

There isn’t a good Way to implement SSO with WebSudo. Lets assume we could have WebSudo do single sign on … what would happen then is:
  1. You login to Confluence/Jira via SSO so entering your Username & Password at the IdP (if you weren’t already authenticated there)
  2. Once you want to become admin, WebSudo would send you to the IdP for authentication
  3. The IdP sees you are already authenticated and sends you back to Jira/Confluence as AUTHENTICATED, WITHOUT asking you for the password again.
  4. Here you go you are in the admin section.  

Both from a Usability & Security perspective this is actually pretty much the same as having turned off the password prompt.
To out knowledge there is no Way via SAML Protocol to force the IdP to ask for the Password again – since our plugin can’t know the password (that would defeat the whole SAML Security architecture) we have no other Way than sending the request to the IdP.

Filter by label (Content by label)
showLabelsfalse
max5
spacesSAMLKB
showSpacefalse
sortmodified
reversetrue
typepage
cqllabel in ("password","websudo","jira","fails","administration","confluence") and type = "page" and space = "SAMLKB"
labelsadministration jira confluence websudo password fails

...