Versions Compared

Old Version 1

changes.mady.by.user Christian Eitel

Saved on

compared with

New Version Current

changes.mady.by.user Jaime Capitel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Warning

!!! We have migrated this cloud instance to our own hosted server instance !!!


Please follow this link to find the content you are looking for: Admin password prompt (WebSudo)

Thank you for your understanding.

Problem

We've noticed that if we log in using SSO to our ADFS with a jira/confluence-administrator (or confluence) user, when we try to go to an administration page, we are prompted to re-enter the user password for sudo, then an error is returned.

 This only happens when the Jira/Confluence User in Question is not in the local User Directory and authentication against the remote directory does not work.

A typical case would be a sync'd Active Directory but direct authentication against AD doesn't work (only via ADFS).

The error you may see looks like this:

The error page is /secure/admin/WebSudoAuthenticate.jspa
The error is

Technical details

Log's referral number: 057a7ebe-80fc-419a-8a6a-0416afd26961

Cause

Referer URL: /secure/admin/ViewApplicationProperties.jspa

com.atlassian.crowd.exception.runtime.OperationFailedException

Solution

The reason this is happening is that the Atlassian . Why the SAML Single Sign On plugin does not perform the authentication process ?

Solution

The WebSudo component does not use the SAML SSO Plugin for authentication. If you run into this error then you You essentially have three two options:

...

  1. You login/create a normal administrator account with a JIRA/Confluence password and use him to access the administration section.
  2. Disable WebSudo: https://confluence.atlassian.com/jira/configuring-secure-administrator-sessions-231343939.html#ConfiguringSecureAdministratorSessions-DisablingSecureAdministratorSessions 
  3. Use local Admin Users, with a local password in the Jira/Confluence Database

A little more background:

There isn’t a good Way to implement SSO with WebSudo. Lets assume we could have WebSudo do single sign on … what would happen then is:
  1. You login to Confluence/Jira via SSO so entering your Username & Password at the IdP (if you weren’t already authenticated there).
  2. Once you want to become admin, WebSudo would send you to the IdP for authentication.
  3. The IdP sees you are already authenticated and sends you back to Jira/Confluence as AUTHENTICATED, WITHOUT asking you for the password again.
  4. Here you go you are in the admin section.  

Both from a Usability & Security perspective this is actually pretty much the same as having turned off the password prompt.
To out knowledge there is no Way via SAML Protocol to force the IdP to ask for the Password again – since our plugin can’t know the password (that would defeat the whole SAML Security architecture) we have no other Way than sending the request to the IdP.

Filter by label (Content by label)
showLabelsfalse
max5
spacesSAMLKB
showSpacefalse
sortmodified
reversetrue
typepage
cqllabel in ( "password" , "websudo" , "jira" , "fails" , "administration" , "confluence" ) and type = "page" and space = "SAMLKB"
labelsadministration jira confluence websudo password fails

...