Skip to end of banner
Go to start of banner

Copy of Jira/Confluence admin password prompt (WebSudo) fails

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Problem

We've noticed that if we log in using SSO to our ADFS with a jira-administrator (or confluence) user, when we try to go to an administration page, we are prompted to re-enter the user password for sudo, then an error is returned.

 This only happens when the Jira/Confluence User in Question is not in the local User Directory and authentication against the remote directory does not work.

A typical case would be a sync'd Active Directory but direct authentication against AD doesn't work (only via ADFS).

The error you may see looks like this:


The error page is /secure/admin/WebSudoAuthenticate.jspa
The error is

Technical details

Log's referral number: 057a7ebe-80fc-419a-8a6a-0416afd26961

Cause

Referer URL: /secure/admin/ViewApplicationProperties.jspa

com.atlassian.crowd.exception.runtime.OperationFailedException


Solution

The reason this is happening is that the Atlassian WebSudo component does not use the SAML SSO Plugin for authentication.

If you run into this error then you essentially have three options:


  1. Reestablish the authentication option towards AD/LDAP or whatever your external User Directory is.
     
  2. Disable WebSudo: https://confluence.atlassian.com/jira/configuring-secure-administrator-sessions-231343939.html#ConfiguringSecureAdministratorSessions-DisablingSecureAdministratorSessions
     
  3. Use local Admin Users, with a local password in the Jira/Confluence Database


A little more background:

There isn’t a good Way to implement SSO with WebSudo. Lets assume we could have WebSudo do single sign on … what would happen then is:
  1. You login to Confluence/Jira via SSO so entering your Username & Password at the IdP (if you weren’t already authenticated there)
  2. Once you want to become admin, WebSudo would send you to the IdP for authentication
  3. The IdP sees you are already authenticated and sends you back to Jira/Confluence as AUTHENTICATED, WITHOUT asking you for the password again.
  4. Here you go you are in the admin section. 
Both from a Usability & Security perspective this is actually pretty much the same as having turned off the password prompt.
To out knowledge there is no Way via SAML Protocol to force the IdP to ask for the Password again – since our plugin can’t know the password (that would defeat the whole SAML Security architecture) we have no other Way than sending the request to the IdP.

Filter by label

There are no items with the selected labels at this time.

  • No labels