This post applies to cloud hosted Jira, version v1000.747.0 and ADFS as included in Windows Server 2012.
Be sure to add first an administrator with an email outside your mycompany.com
domain so that you can connect to Jira if SAML is not configured correctly
Step 1
In order to configure SSO integration we must first register our domain (SITE ADMINISTRATION->User Management), let’s say mycompany.com
. A file generated by Jira must be made available over HTTPS at https://mycompany.com/atlassian-domain-verification.html
. Plase notice the format of the URL, the right DNS redirection to https://www.mycompany.com/atlassian-domain-verification.html
must be configured.
Step 2
Fill in the required information about our Identity Provider (exposed only in Intranet):
- Identity provider Entity ID:
http://ts-adfs.mycompany.local/adfs/services/trust
- Identity provider SSO URL:
https://ts-adfs.mycompany.local/adfs/ls/
- Public x509 certificate
Step 3
In ADFS create a new Service Provider using the information provided by Jira SAML configuration page:
- SP Entity ID:
https://id.atlassian.com/login
- SP Assertion Consumer Service URL:
https://id.atlassian.com/login/saml/acs
As specified at https://confluence.atlassian.com/purchasing/saml-single-sign-on-for-atlassian-account–860002668.html edit the claim rules adding the following entries (using Active Directory as attribute store):
- E-Mail-Addresses->E-Mail Addresses
- Given-Name->Given Name
- Surname->Surname
- SAM-Account-Name->UPN
Step 4
Trying to login to Jira now will result in an error (not very specific). By looking into ADFS Windows Logs (Applications and Services Logs->AD FS Tracing->Debug) you will notice something about Name Id not supported format (email).
I found the solution at http://wiki.servicenow.com/index.php?title=Configuring_ADFS_3.0_to_Communicate_with_SAML_2.0#ADFS_Relying_Party_Configuration&gsc.tab=0:
- Add a new rule to existing claims rules, type
Transform an Incoming Claim
:
- Select Incoming claim type: E-Mail Address
- Select Outgoing claim type: Name ID
- Outgoing name ID format: email
The resulted claim Rule language is:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
Step 5
Trying to login to Jira now will result in an error about resource not found, this time due by the IIS exposing the ADFS endpoint.
The cause is the default URL limitation of IIS. Perform the steps explaind in https://www.iis.net/configreference/system.webserver/security/requestfiltering/requestlimits:
- Use IIS administration interface
- Select Default Site and double click Request Filtering
- Click on Edit Feature Settings
- Change:
- Maximum URL length to 8192
- Maximum query string to 8000
Step 6
We get now another error due to the query string limitation in ASP.Net as controlled by web.config
.
Edit web.config
as mentioned at https://msdn.microsoft.com/en-us/library/e1f13641(v=vs.100).aspx
<system.web>
...
<httpRuntime requestValidationMode="2.0" maxQueryStringLength = "8000" maxUrlLength ="8192"/>
</system.web>
Finaly
You can login now by just providing email@mycompany.com
(depending your browser configuration you will or not be prompted with authentication form by ADFS: see WIA configuration for IE/Chrome for instance).
PHA+VGhpcyBwb3N0IGFwcGxpZXMgdG8gY2xvdWQgaG9zdGVkIEppcmEsIHZlcnNpb24gdjEw
MDAuNzQ3LjAgYW5kIEFERlMgYXMgaW5jbHVkZWQgaW4gV2luZG93cyBTZXJ2ZXIgMjAxMi48
L3A+DQoNCjxwPkJlIHN1cmUgdG8gYWRkIGZpcnN0IGFuIGFkbWluaXN0cmF0b3Igd2l0aCBh
biBlbWFpbCBvdXRzaWRlIHlvdXIgPGNvZGU+bXljb21wYW55LmNvbTwvY29kZT4gZG9tYWlu
IHNvIHRoYXQgeW91IGNhbiBjb25uZWN0IHRvIEppcmEgaWYgU0FNTCBpcyBub3QgY29uZmln
dXJlZCBjb3JyZWN0bHk8L3A+DQoNCjxoMSBpZD0ic3RlcDEiPlN0ZXAgMTwvaDE+DQoNCjxw
PkluIG9yZGVyIHRvIGNvbmZpZ3VyZSBTU08gaW50ZWdyYXRpb24gd2UgbXVzdCBmaXJzdCBy
ZWdpc3RlciBvdXIgZG9tYWluIChTSVRFIEFETUlOSVNUUkFUSU9OLSZndDtVc2VyIE1hbmFn
ZW1lbnQpLCBsZXQmIzgyMTc7cyBzYXkgPGNvZGU+bXljb21wYW55LmNvbTwvY29kZT4uIEEg
ZmlsZSBnZW5lcmF0ZWQgYnkgSmlyYSBtdXN0IGJlIG1hZGUgYXZhaWxhYmxlIG92ZXIgSFRU
UFMgYXQgPGNvZGU+aHR0cHM6Ly9teWNvbXBhbnkuY29tL2F0bGFzc2lhbi1kb21haW4tdmVy
aWZpY2F0aW9uLmh0bWw8L2NvZGU+LiBQbGFzZSBub3RpY2UgdGhlIGZvcm1hdCBvZiB0aGUg
VVJMLCB0aGUgcmlnaHQgRE5TIHJlZGlyZWN0aW9uIHRvIDxjb2RlPmh0dHBzOi8vd3d3Lm15
Y29tcGFueS5jb20vYXRsYXNzaWFuLWRvbWFpbi12ZXJpZmljYXRpb24uaHRtbDwvY29kZT4g
bXVzdCBiZSBjb25maWd1cmVkLjwvcD4NCg0KPGgxIGlkPSJzdGVwMiI+U3RlcCAyPC9oMT4N
Cg0KPHA+RmlsbCBpbiB0aGUgcmVxdWlyZWQgaW5mb3JtYXRpb24gYWJvdXQgb3VyIElkZW50
aXR5IFByb3ZpZGVyIChleHBvc2VkIG9ubHkgaW4gSW50cmFuZXQpOjwvcD4NCg0KPHVsPg0K
PGxpPklkZW50aXR5IHByb3ZpZGVyIEVudGl0eSBJRDogPGNvZGU+aHR0cDovL3RzLWFkZnMu
bXljb21wYW55LmxvY2FsL2FkZnMvc2VydmljZXMvdHJ1c3Q8L2NvZGU+PC9saT4NCjxsaT5J
ZGVudGl0eSBwcm92aWRlciBTU08gVVJMOiA8Y29kZT5odHRwczovL3RzLWFkZnMubXljb21w
YW55LmxvY2FsL2FkZnMvbHMvPC9jb2RlPjwvbGk+DQo8bGk+UHVibGljIHg1MDkgY2VydGlm
aWNhdGU8L2xpPg0KPC91bD4NCg0KPGgxIGlkPSJzdGVwMyI+U3RlcCAzPC9oMT4NCg0KPHA+
SW4gQURGUyBjcmVhdGUgYSBuZXcgU2VydmljZSBQcm92aWRlciB1c2luZyB0aGUgaW5mb3Jt
YXRpb24gcHJvdmlkZWQgYnkgSmlyYSBTQU1MIGNvbmZpZ3VyYXRpb24gcGFnZTo8L3A+DQoN
Cjx1bD4NCjxsaT5TUCBFbnRpdHkgSUQ6IDxjb2RlPmh0dHBzOi8vaWQuYXRsYXNzaWFuLmNv
bS9sb2dpbjwvY29kZT48L2xpPg0KPGxpPlNQIEFzc2VydGlvbiBDb25zdW1lciBTZXJ2aWNl
IFVSTDogPGNvZGU+aHR0cHM6Ly9pZC5hdGxhc3NpYW4uY29tL2xvZ2luL3NhbWwvYWNzPC9j
b2RlPjwvbGk+DQo8L3VsPg0KDQo8cD5BcyBzcGVjaWZpZWQgYXQgPGEgaHJlZj0iaHR0cHM6
Ly9jb25mbHVlbmNlLmF0bGFzc2lhbi5jb20vcHVyY2hhc2luZy9zYW1sLXNpbmdsZS1zaWdu
LW9uLWZvci1hdGxhc3NpYW4tYWNjb3VudC04NjAwMDI2NjguaHRtbCI+aHR0cHM6Ly9jb25m
bHVlbmNlLmF0bGFzc2lhbi5jb20vcHVyY2hhc2luZy9zYW1sLXNpbmdsZS1zaWduLW9uLWZv
ci1hdGxhc3NpYW4tYWNjb3VudCYjODIxMTs4NjAwMDI2NjguaHRtbDwvYT4gZWRpdCB0aGUg
Y2xhaW0gcnVsZXMgYWRkaW5nIHRoZSBmb2xsb3dpbmcgZW50cmllcyAodXNpbmcgQWN0aXZl
IERpcmVjdG9yeSBhcyBhdHRyaWJ1dGUgc3RvcmUpOjwvcD4NCg0KPHVsPg0KPGxpPkUtTWFp
bC1BZGRyZXNzZXMtJmd0O0UtTWFpbCBBZGRyZXNzZXM8L2xpPg0KPGxpPkdpdmVuLU5hbWUt
Jmd0O0dpdmVuIE5hbWU8L2xpPg0KPGxpPlN1cm5hbWUtJmd0O1N1cm5hbWU8L2xpPg0KPGxp
PlNBTS1BY2NvdW50LU5hbWUtJmd0O1VQTjwvbGk+DQo8L3VsPg0KDQo8aDEgaWQ9InN0ZXA0
Ij5TdGVwIDQ8L2gxPg0KDQo8cD5UcnlpbmcgdG8gbG9naW4gdG8gSmlyYSBub3cgd2lsbCBy
ZXN1bHQgaW4gYW4gZXJyb3IgKG5vdCB2ZXJ5IHNwZWNpZmljKS4gQnkgbG9va2luZyBpbnRv
IEFERlMgV2luZG93cyBMb2dzIChBcHBsaWNhdGlvbnMgYW5kIFNlcnZpY2VzIExvZ3MtJmd0
O0FEIEZTIFRyYWNpbmctJmd0O0RlYnVnKSB5b3Ugd2lsbCBub3RpY2Ugc29tZXRoaW5nIGFi
b3V0IE5hbWUgSWQgbm90IHN1cHBvcnRlZCBmb3JtYXQgKGVtYWlsKS4NCkkgZm91bmQgdGhl
IHNvbHV0aW9uIGF0IDxhIGhyZWY9Imh0dHA6Ly93aWtpLnNlcnZpY2Vub3cuY29tL2luZGV4
LnBocD90aXRsZT1Db25maWd1cmluZ19BREZTXzMuMF90b19Db21tdW5pY2F0ZV93aXRoX1NB
TUxfMi4wI0FERlNfUmVseWluZ19QYXJ0eV9Db25maWd1cmF0aW9uJmFtcDtnc2MudGFiPTAi
Pmh0dHA6Ly93aWtpLnNlcnZpY2Vub3cuY29tL2luZGV4LnBocD90aXRsZT1Db25maWd1cmlu
Z19BREZTXzMuMF90b19Db21tdW5pY2F0ZV93aXRoX1NBTUxfMi4wI0FERlNfUmVseWluZ19Q
YXJ0eV9Db25maWd1cmF0aW9uJmFtcDtnc2MudGFiPTA8L2E+OjwvcD4NCg0KPHVsPg0KPGxp
PkFkZCBhIG5ldyBydWxlIHRvIGV4aXN0aW5nIGNsYWltcyBydWxlcywgdHlwZSA8Y29kZT5U
cmFuc2Zvcm0gYW4gSW5jb21pbmcgQ2xhaW08L2NvZGU+OjwvbGk+DQo8bGk+U2VsZWN0IElu
Y29taW5nIGNsYWltIHR5cGU6IEUtTWFpbCBBZGRyZXNzPC9saT4NCjxsaT5TZWxlY3QgT3V0
Z29pbmcgY2xhaW0gdHlwZTogTmFtZSBJRDwvbGk+DQo8bGk+T3V0Z29pbmcgbmFtZSBJRCBm
b3JtYXQ6IGVtYWlsPC9saT4NCjwvdWw+DQoNCjxwPlRoZSByZXN1bHRlZCBjbGFpbSBSdWxl
IGxhbmd1YWdlIGlzOjwvcD4NCg0KPHByZT48Y29kZT5jOltUeXBlID09ICZxdW90O2h0dHA6
Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL2VtYWls
YWRkcmVzcyZxdW90O10NCiA9Jmd0OyBpc3N1ZShUeXBlID0gJnF1b3Q7aHR0cDovL3NjaGVt
YXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvbmFtZWlkZW50aWZp
ZXImcXVvdDssIElzc3VlciA9IGMuSXNzdWVyLCBPcmlnaW5hbElzc3VlciA9IGMuT3JpZ2lu
YWxJc3N1ZXIsIFZhbHVlID0gYy5WYWx1ZSwgVmFsdWVUeXBlID0gYy5WYWx1ZVR5cGUsIFBy
b3BlcnRpZXNbJnF1b3Q7aHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9p
ZGVudGl0eS9jbGFpbXByb3BlcnRpZXMvZm9ybWF0JnF1b3Q7XSA9ICZxdW90O3VybjpvYXNp
czpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyZxdW90Oyk7
DQoNCjwvY29kZT48L3ByZT4NCg0KPGgxIGlkPSJzdGVwNSI+U3RlcCA1PC9oMT4NCg0KPHA+
VHJ5aW5nIHRvIGxvZ2luIHRvIEppcmEgbm93IHdpbGwgcmVzdWx0IGluIGFuIGVycm9yIGFi
b3V0IHJlc291cmNlIG5vdCBmb3VuZCwgdGhpcyB0aW1lIGR1ZSBieSB0aGUgSUlTIGV4cG9z
aW5nIHRoZSBBREZTIGVuZHBvaW50LjwvcD4NCg0KPHA+VGhlIGNhdXNlIGlzIHRoZSBkZWZh
dWx0IFVSTCBsaW1pdGF0aW9uIG9mIElJUy4gUGVyZm9ybSB0aGUgc3RlcHMgZXhwbGFpbmQg
aW4gPGEgaHJlZj0iaHR0cHM6Ly93d3cuaWlzLm5ldC9jb25maWdyZWZlcmVuY2Uvc3lzdGVt
LndlYnNlcnZlci9zZWN1cml0eS9yZXF1ZXN0ZmlsdGVyaW5nL3JlcXVlc3RsaW1pdHMiPmh0
dHBzOi8vd3d3Lmlpcy5uZXQvY29uZmlncmVmZXJlbmNlL3N5c3RlbS53ZWJzZXJ2ZXIvc2Vj
dXJpdHkvcmVxdWVzdGZpbHRlcmluZy9yZXF1ZXN0bGltaXRzPC9hPjo8L3A+DQoNCjx1bD4N
CjxsaT5Vc2UgSUlTIGFkbWluaXN0cmF0aW9uIGludGVyZmFjZTwvbGk+DQo8bGk+U2VsZWN0
IERlZmF1bHQgU2l0ZSBhbmQgZG91YmxlIGNsaWNrIFJlcXVlc3QgRmlsdGVyaW5nPC9saT4N
CjxsaT5DbGljayBvbiBFZGl0IEZlYXR1cmUgU2V0dGluZ3M8L2xpPg0KPGxpPkNoYW5nZToN
Cg0KPHVsPg0KPGxpPk1heGltdW0gVVJMIGxlbmd0aCB0byA4MTkyPC9saT4NCjxsaT5NYXhp
bXVtIHF1ZXJ5IHN0cmluZyB0byA4MDAwPC9saT4NCjwvdWw+PC9saT4NCjwvdWw+DQoNCjxo
MSBpZD0ic3RlcDYiPlN0ZXAgNjwvaDE+DQoNCjxwPldlIGdldCBub3cgYW5vdGhlciBlcnJv
ciBkdWUgdG8gdGhlIHF1ZXJ5IHN0cmluZyBsaW1pdGF0aW9uIGluIEFTUC5OZXQgYXMgY29u
dHJvbGxlZCBieSA8Y29kZT53ZWIuY29uZmlnPC9jb2RlPi4NCkVkaXQgPGNvZGU+d2ViLmNv
bmZpZzwvY29kZT4gYXMgbWVudGlvbmVkIGF0IDxhIGhyZWY9Imh0dHBzOi8vbXNkbi5taWNy
b3NvZnQuY29tL2VuLXVzL2xpYnJhcnkvZTFmMTM2NDEodj12cy4xMDApLmFzcHgiPmh0dHBz
Oi8vbXNkbi5taWNyb3NvZnQuY29tL2VuLXVzL2xpYnJhcnkvZTFmMTM2NDEodj12cy4xMDAp
LmFzcHg8L2E+PC9wPg0KDQo8cHJlPjxjb2RlIGNsYXNzPSJ4bWwiPiAgJmx0O3N5c3RlbS53
ZWImZ3Q7DQouLi4NCiAgICAmbHQ7aHR0cFJ1bnRpbWUgcmVxdWVzdFZhbGlkYXRpb25Nb2Rl
PSZxdW90OzIuMCZxdW90OyBtYXhRdWVyeVN0cmluZ0xlbmd0aCA9ICZxdW90OzgwMDAmcXVv
dDsgbWF4VXJsTGVuZ3RoID0mcXVvdDs4MTkyJnF1b3Q7LyZndDsNCiAgJmx0Oy9zeXN0ZW0u
d2ViJmd0Ow0KPC9jb2RlPjwvcHJlPg0KDQo8aDEgaWQ9ImZpbmFseSI+RmluYWx5PC9oMT4N
Cg0KPHA+WW91IGNhbiBsb2dpbiBub3cgYnkganVzdCBwcm92aWRpbmcgPGNvZGU+ZW1haWxA
bXljb21wYW55LmNvbTwvY29kZT4gKGRlcGVuZGluZyB5b3VyIGJyb3dzZXIgY29uZmlndXJh
dGlvbiB5b3Ugd2lsbCBvciBub3QgYmUgcHJvbXB0ZWQgd2l0aCBhdXRoZW50aWNhdGlvbiBm
b3JtIGJ5IEFERlM6IHNlZSBXSUEgY29uZmlndXJhdGlvbiBmb3IgSUUvQ2hyb21lIGZvciBp
bnN0YW5jZSkuPC9wPg0K
Hi. Is it still working? I'm trying to do the same, but something wrong and i see error "Oops, you've made a malformed request."
ReplyDeleteThank you for the tutorial it works great.
ReplyDelete