Introduction
In most Data Center there is an SSO support required. Most common SSO is SAML.
We added SAML Support to our IUM Apps.
For Details see below.
Originally the user is in the disabled group, not beeing able to access Jira
IUM cares about SAML.
So when a User logges in he is first enabled by IUM and later on authenticated via SSO.
Let's try to use this Url
https://dev-jira.accxia.com/secure/Dashboard.jspa
1st logIn at Google
Now see what happens
WE ARE IN
Let's verify the Enabled Group and see whe are in
Background: Implementing with Google SAML as Identity Provider
Generic Solution using 2 IDPs
We have to create 2 IDP
- IDP Account 1 is responsible for IUM
- IDP Account 2 is responsible for SSO Authentication
IDP Account 1 must point to "https://dev-jira.accxia.com/plugins/servlet/samlium".
IDP Account 2 must point to "https://dev-jira.accxia.com/plugins/servlet/samlconsumer".
The Jira SSO.20 must be configured to the IUM Servlet via the IDP Account1. The Identity "provider single sign-on URL" must point to Account1
The IUM Servlet redirects to Account 2 (SSO) (can be configured in future)
Using it this way, we have created a full generic Solution
Solution with just 1 IDP (prefered Option)
Ideally there is just one IDP required.
We have created a second solution. This solution uses a Servletfilter instead of a Servlet. The servlet filter intercepts the url "/plugins/servlet/samlconsumer" and enables the IUM User.
The IDP must be configured with https://dev-jira.accxia.com/plugins/servlet/samlconsumer.
After enabling the user successfully a redirect is sent to "/plugins/servlet/external-login".
As a result the User is logged in.
Note:
- Currently SAML is only supported for uncrypted SAML Messages. This can be developed later on to support crypted Messages as well.
- Atlassian SSO2.0 supports primary and first Authentication, OUR IUM App supports both options