Wednesday, February 8, 2017

Jira SSO

This post applies to cloud hosted Jira, version v1000.747.0 and ADFS as included in Windows Server 2012.

Be sure to add first an administrator with an email outside your mycompany.com domain so that you can connect to Jira if SAML is not configured correctly

Step 1

In order to configure SSO integration we must first register our domain (SITE ADMINISTRATION->User Management), let’s say mycompany.com. A file generated by Jira must be made available over HTTPS at https://mycompany.com/atlassian-domain-verification.html. Plase notice the format of the URL, the right DNS redirection to https://www.mycompany.com/atlassian-domain-verification.html must be configured.

Step 2

Fill in the required information about our Identity Provider (exposed only in Intranet):

  • Identity provider Entity ID: http://ts-adfs.mycompany.local/adfs/services/trust
  • Identity provider SSO URL: https://ts-adfs.mycompany.local/adfs/ls/
  • Public x509 certificate

Step 3

In ADFS create a new Service Provider using the information provided by Jira SAML configuration page:

  • SP Entity ID: https://id.atlassian.com/login
  • SP Assertion Consumer Service URL: https://id.atlassian.com/login/saml/acs

As specified at https://confluence.atlassian.com/purchasing/saml-single-sign-on-for-atlassian-account–860002668.html edit the claim rules adding the following entries (using Active Directory as attribute store):

  • E-Mail-Addresses->E-Mail Addresses
  • Given-Name->Given Name
  • Surname->Surname
  • SAM-Account-Name->UPN

Step 4

Trying to login to Jira now will result in an error (not very specific). By looking into ADFS Windows Logs (Applications and Services Logs->AD FS Tracing->Debug) you will notice something about Name Id not supported format (email). I found the solution at http://wiki.servicenow.com/index.php?title=Configuring_ADFS_3.0_to_Communicate_with_SAML_2.0#ADFS_Relying_Party_Configuration&gsc.tab=0:

  • Add a new rule to existing claims rules, type Transform an Incoming Claim:
  • Select Incoming claim type: E-Mail Address
  • Select Outgoing claim type: Name ID
  • Outgoing name ID format: email

The resulted claim Rule language is:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

Step 5

Trying to login to Jira now will result in an error about resource not found, this time due by the IIS exposing the ADFS endpoint.

The cause is the default URL limitation of IIS. Perform the steps explaind in https://www.iis.net/configreference/system.webserver/security/requestfiltering/requestlimits:

  • Use IIS administration interface
  • Select Default Site and double click Request Filtering
  • Click on Edit Feature Settings
  • Change:
    • Maximum URL length to 8192
    • Maximum query string to 8000

Step 6

We get now another error due to the query string limitation in ASP.Net as controlled by web.config. Edit web.config as mentioned at https://msdn.microsoft.com/en-us/library/e1f13641(v=vs.100).aspx

  <system.web>
...
    <httpRuntime requestValidationMode="2.0" maxQueryStringLength = "8000" maxUrlLength ="8192"/>
  </system.web>

Finaly

You can login now by just providing email@mycompany.com (depending your browser configuration you will or not be prompted with authentication form by ADFS: see WIA configuration for IE/Chrome for instance).

PHA+VGhpcyBwb3N0IGFwcGxpZXMgdG8gY2xvdWQgaG9zdGVkIEppcmEsIHZlcnNpb24gdjEw MDAuNzQ3LjAgYW5kIEFERlMgYXMgaW5jbHVkZWQgaW4gV2luZG93cyBTZXJ2ZXIgMjAxMi48 L3A+DQoNCjxwPkJlIHN1cmUgdG8gYWRkIGZpcnN0IGFuIGFkbWluaXN0cmF0b3Igd2l0aCBh biBlbWFpbCBvdXRzaWRlIHlvdXIgPGNvZGU+bXljb21wYW55LmNvbTwvY29kZT4gZG9tYWlu IHNvIHRoYXQgeW91IGNhbiBjb25uZWN0IHRvIEppcmEgaWYgU0FNTCBpcyBub3QgY29uZmln dXJlZCBjb3JyZWN0bHk8L3A+DQoNCjxoMSBpZD0ic3RlcDEiPlN0ZXAgMTwvaDE+DQoNCjxw PkluIG9yZGVyIHRvIGNvbmZpZ3VyZSBTU08gaW50ZWdyYXRpb24gd2UgbXVzdCBmaXJzdCBy ZWdpc3RlciBvdXIgZG9tYWluIChTSVRFIEFETUlOSVNUUkFUSU9OLSZndDtVc2VyIE1hbmFn ZW1lbnQpLCBsZXQmIzgyMTc7cyBzYXkgPGNvZGU+bXljb21wYW55LmNvbTwvY29kZT4uIEEg ZmlsZSBnZW5lcmF0ZWQgYnkgSmlyYSBtdXN0IGJlIG1hZGUgYXZhaWxhYmxlIG92ZXIgSFRU UFMgYXQgPGNvZGU+aHR0cHM6Ly9teWNvbXBhbnkuY29tL2F0bGFzc2lhbi1kb21haW4tdmVy aWZpY2F0aW9uLmh0bWw8L2NvZGU+LiBQbGFzZSBub3RpY2UgdGhlIGZvcm1hdCBvZiB0aGUg VVJMLCB0aGUgcmlnaHQgRE5TIHJlZGlyZWN0aW9uIHRvIDxjb2RlPmh0dHBzOi8vd3d3Lm15 Y29tcGFueS5jb20vYXRsYXNzaWFuLWRvbWFpbi12ZXJpZmljYXRpb24uaHRtbDwvY29kZT4g bXVzdCBiZSBjb25maWd1cmVkLjwvcD4NCg0KPGgxIGlkPSJzdGVwMiI+U3RlcCAyPC9oMT4N Cg0KPHA+RmlsbCBpbiB0aGUgcmVxdWlyZWQgaW5mb3JtYXRpb24gYWJvdXQgb3VyIElkZW50 aXR5IFByb3ZpZGVyIChleHBvc2VkIG9ubHkgaW4gSW50cmFuZXQpOjwvcD4NCg0KPHVsPg0K PGxpPklkZW50aXR5IHByb3ZpZGVyIEVudGl0eSBJRDogPGNvZGU+aHR0cDovL3RzLWFkZnMu bXljb21wYW55LmxvY2FsL2FkZnMvc2VydmljZXMvdHJ1c3Q8L2NvZGU+PC9saT4NCjxsaT5J ZGVudGl0eSBwcm92aWRlciBTU08gVVJMOiA8Y29kZT5odHRwczovL3RzLWFkZnMubXljb21w YW55LmxvY2FsL2FkZnMvbHMvPC9jb2RlPjwvbGk+DQo8bGk+UHVibGljIHg1MDkgY2VydGlm aWNhdGU8L2xpPg0KPC91bD4NCg0KPGgxIGlkPSJzdGVwMyI+U3RlcCAzPC9oMT4NCg0KPHA+ SW4gQURGUyBjcmVhdGUgYSBuZXcgU2VydmljZSBQcm92aWRlciB1c2luZyB0aGUgaW5mb3Jt YXRpb24gcHJvdmlkZWQgYnkgSmlyYSBTQU1MIGNvbmZpZ3VyYXRpb24gcGFnZTo8L3A+DQoN Cjx1bD4NCjxsaT5TUCBFbnRpdHkgSUQ6IDxjb2RlPmh0dHBzOi8vaWQuYXRsYXNzaWFuLmNv bS9sb2dpbjwvY29kZT48L2xpPg0KPGxpPlNQIEFzc2VydGlvbiBDb25zdW1lciBTZXJ2aWNl IFVSTDogPGNvZGU+aHR0cHM6Ly9pZC5hdGxhc3NpYW4uY29tL2xvZ2luL3NhbWwvYWNzPC9j b2RlPjwvbGk+DQo8L3VsPg0KDQo8cD5BcyBzcGVjaWZpZWQgYXQgPGEgaHJlZj0iaHR0cHM6 Ly9jb25mbHVlbmNlLmF0bGFzc2lhbi5jb20vcHVyY2hhc2luZy9zYW1sLXNpbmdsZS1zaWdu LW9uLWZvci1hdGxhc3NpYW4tYWNjb3VudC04NjAwMDI2NjguaHRtbCI+aHR0cHM6Ly9jb25m bHVlbmNlLmF0bGFzc2lhbi5jb20vcHVyY2hhc2luZy9zYW1sLXNpbmdsZS1zaWduLW9uLWZv ci1hdGxhc3NpYW4tYWNjb3VudCYjODIxMTs4NjAwMDI2NjguaHRtbDwvYT4gZWRpdCB0aGUg Y2xhaW0gcnVsZXMgYWRkaW5nIHRoZSBmb2xsb3dpbmcgZW50cmllcyAodXNpbmcgQWN0aXZl IERpcmVjdG9yeSBhcyBhdHRyaWJ1dGUgc3RvcmUpOjwvcD4NCg0KPHVsPg0KPGxpPkUtTWFp bC1BZGRyZXNzZXMtJmd0O0UtTWFpbCBBZGRyZXNzZXM8L2xpPg0KPGxpPkdpdmVuLU5hbWUt Jmd0O0dpdmVuIE5hbWU8L2xpPg0KPGxpPlN1cm5hbWUtJmd0O1N1cm5hbWU8L2xpPg0KPGxp PlNBTS1BY2NvdW50LU5hbWUtJmd0O1VQTjwvbGk+DQo8L3VsPg0KDQo8aDEgaWQ9InN0ZXA0 Ij5TdGVwIDQ8L2gxPg0KDQo8cD5UcnlpbmcgdG8gbG9naW4gdG8gSmlyYSBub3cgd2lsbCBy ZXN1bHQgaW4gYW4gZXJyb3IgKG5vdCB2ZXJ5IHNwZWNpZmljKS4gQnkgbG9va2luZyBpbnRv IEFERlMgV2luZG93cyBMb2dzIChBcHBsaWNhdGlvbnMgYW5kIFNlcnZpY2VzIExvZ3MtJmd0 O0FEIEZTIFRyYWNpbmctJmd0O0RlYnVnKSB5b3Ugd2lsbCBub3RpY2Ugc29tZXRoaW5nIGFi b3V0IE5hbWUgSWQgbm90IHN1cHBvcnRlZCBmb3JtYXQgKGVtYWlsKS4NCkkgZm91bmQgdGhl IHNvbHV0aW9uIGF0IDxhIGhyZWY9Imh0dHA6Ly93aWtpLnNlcnZpY2Vub3cuY29tL2luZGV4 LnBocD90aXRsZT1Db25maWd1cmluZ19BREZTXzMuMF90b19Db21tdW5pY2F0ZV93aXRoX1NB TUxfMi4wI0FERlNfUmVseWluZ19QYXJ0eV9Db25maWd1cmF0aW9uJmFtcDtnc2MudGFiPTAi Pmh0dHA6Ly93aWtpLnNlcnZpY2Vub3cuY29tL2luZGV4LnBocD90aXRsZT1Db25maWd1cmlu Z19BREZTXzMuMF90b19Db21tdW5pY2F0ZV93aXRoX1NBTUxfMi4wI0FERlNfUmVseWluZ19Q YXJ0eV9Db25maWd1cmF0aW9uJmFtcDtnc2MudGFiPTA8L2E+OjwvcD4NCg0KPHVsPg0KPGxp PkFkZCBhIG5ldyBydWxlIHRvIGV4aXN0aW5nIGNsYWltcyBydWxlcywgdHlwZSA8Y29kZT5U cmFuc2Zvcm0gYW4gSW5jb21pbmcgQ2xhaW08L2NvZGU+OjwvbGk+DQo8bGk+U2VsZWN0IElu Y29taW5nIGNsYWltIHR5cGU6IEUtTWFpbCBBZGRyZXNzPC9saT4NCjxsaT5TZWxlY3QgT3V0 Z29pbmcgY2xhaW0gdHlwZTogTmFtZSBJRDwvbGk+DQo8bGk+T3V0Z29pbmcgbmFtZSBJRCBm b3JtYXQ6IGVtYWlsPC9saT4NCjwvdWw+DQoNCjxwPlRoZSByZXN1bHRlZCBjbGFpbSBSdWxl IGxhbmd1YWdlIGlzOjwvcD4NCg0KPHByZT48Y29kZT5jOltUeXBlID09ICZxdW90O2h0dHA6 Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL2VtYWls YWRkcmVzcyZxdW90O10NCiA9Jmd0OyBpc3N1ZShUeXBlID0gJnF1b3Q7aHR0cDovL3NjaGVt YXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvbmFtZWlkZW50aWZp ZXImcXVvdDssIElzc3VlciA9IGMuSXNzdWVyLCBPcmlnaW5hbElzc3VlciA9IGMuT3JpZ2lu YWxJc3N1ZXIsIFZhbHVlID0gYy5WYWx1ZSwgVmFsdWVUeXBlID0gYy5WYWx1ZVR5cGUsIFBy b3BlcnRpZXNbJnF1b3Q7aHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9p ZGVudGl0eS9jbGFpbXByb3BlcnRpZXMvZm9ybWF0JnF1b3Q7XSA9ICZxdW90O3VybjpvYXNp czpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyZxdW90Oyk7 DQoNCjwvY29kZT48L3ByZT4NCg0KPGgxIGlkPSJzdGVwNSI+U3RlcCA1PC9oMT4NCg0KPHA+ VHJ5aW5nIHRvIGxvZ2luIHRvIEppcmEgbm93IHdpbGwgcmVzdWx0IGluIGFuIGVycm9yIGFi b3V0IHJlc291cmNlIG5vdCBmb3VuZCwgdGhpcyB0aW1lIGR1ZSBieSB0aGUgSUlTIGV4cG9z aW5nIHRoZSBBREZTIGVuZHBvaW50LjwvcD4NCg0KPHA+VGhlIGNhdXNlIGlzIHRoZSBkZWZh dWx0IFVSTCBsaW1pdGF0aW9uIG9mIElJUy4gUGVyZm9ybSB0aGUgc3RlcHMgZXhwbGFpbmQg aW4gPGEgaHJlZj0iaHR0cHM6Ly93d3cuaWlzLm5ldC9jb25maWdyZWZlcmVuY2Uvc3lzdGVt LndlYnNlcnZlci9zZWN1cml0eS9yZXF1ZXN0ZmlsdGVyaW5nL3JlcXVlc3RsaW1pdHMiPmh0 dHBzOi8vd3d3Lmlpcy5uZXQvY29uZmlncmVmZXJlbmNlL3N5c3RlbS53ZWJzZXJ2ZXIvc2Vj dXJpdHkvcmVxdWVzdGZpbHRlcmluZy9yZXF1ZXN0bGltaXRzPC9hPjo8L3A+DQoNCjx1bD4N CjxsaT5Vc2UgSUlTIGFkbWluaXN0cmF0aW9uIGludGVyZmFjZTwvbGk+DQo8bGk+U2VsZWN0 IERlZmF1bHQgU2l0ZSBhbmQgZG91YmxlIGNsaWNrIFJlcXVlc3QgRmlsdGVyaW5nPC9saT4N CjxsaT5DbGljayBvbiBFZGl0IEZlYXR1cmUgU2V0dGluZ3M8L2xpPg0KPGxpPkNoYW5nZToN Cg0KPHVsPg0KPGxpPk1heGltdW0gVVJMIGxlbmd0aCB0byA4MTkyPC9saT4NCjxsaT5NYXhp bXVtIHF1ZXJ5IHN0cmluZyB0byA4MDAwPC9saT4NCjwvdWw+PC9saT4NCjwvdWw+DQoNCjxo MSBpZD0ic3RlcDYiPlN0ZXAgNjwvaDE+DQoNCjxwPldlIGdldCBub3cgYW5vdGhlciBlcnJv ciBkdWUgdG8gdGhlIHF1ZXJ5IHN0cmluZyBsaW1pdGF0aW9uIGluIEFTUC5OZXQgYXMgY29u dHJvbGxlZCBieSA8Y29kZT53ZWIuY29uZmlnPC9jb2RlPi4NCkVkaXQgPGNvZGU+d2ViLmNv bmZpZzwvY29kZT4gYXMgbWVudGlvbmVkIGF0IDxhIGhyZWY9Imh0dHBzOi8vbXNkbi5taWNy b3NvZnQuY29tL2VuLXVzL2xpYnJhcnkvZTFmMTM2NDEodj12cy4xMDApLmFzcHgiPmh0dHBz Oi8vbXNkbi5taWNyb3NvZnQuY29tL2VuLXVzL2xpYnJhcnkvZTFmMTM2NDEodj12cy4xMDAp LmFzcHg8L2E+PC9wPg0KDQo8cHJlPjxjb2RlIGNsYXNzPSJ4bWwiPiAgJmx0O3N5c3RlbS53 ZWImZ3Q7DQouLi4NCiAgICAmbHQ7aHR0cFJ1bnRpbWUgcmVxdWVzdFZhbGlkYXRpb25Nb2Rl PSZxdW90OzIuMCZxdW90OyBtYXhRdWVyeVN0cmluZ0xlbmd0aCA9ICZxdW90OzgwMDAmcXVv dDsgbWF4VXJsTGVuZ3RoID0mcXVvdDs4MTkyJnF1b3Q7LyZndDsNCiAgJmx0Oy9zeXN0ZW0u d2ViJmd0Ow0KPC9jb2RlPjwvcHJlPg0KDQo8aDEgaWQ9ImZpbmFseSI+RmluYWx5PC9oMT4N Cg0KPHA+WW91IGNhbiBsb2dpbiBub3cgYnkganVzdCBwcm92aWRpbmcgPGNvZGU+ZW1haWxA bXljb21wYW55LmNvbTwvY29kZT4gKGRlcGVuZGluZyB5b3VyIGJyb3dzZXIgY29uZmlndXJh dGlvbiB5b3Ugd2lsbCBvciBub3QgYmUgcHJvbXB0ZWQgd2l0aCBhdXRoZW50aWNhdGlvbiBm b3JtIGJ5IEFERlM6IHNlZSBXSUEgY29uZmlndXJhdGlvbiBmb3IgSUUvQ2hyb21lIGZvciBp bnN0YW5jZSkuPC9wPg0K
Posted by at

2 comments :

  1. UnknownJune 22, 2017 at 5:28 PM

    Hi. Is it still working? I'm trying to do the same, but something wrong and i see error "Oops, you've made a malformed request."

    ReplyDelete
  2. UnknownMay 4, 2018 at 4:45 PM

    Thank you for the tutorial it works great.

    ReplyDelete

Subscribe to: Post Comments ( Atom )