Note: This plugin fully supports JIRA 6.0, 6.1, 6.2, 6.3. We have open-sourced the plugin, which you can get at https://github.com/
This article explains how to set up single sign-on (SSO) for Atlassian JIRA using OneLogin's SAML plugin for JIRA.
You perform this setup in two steps:
2. Install and configure the OneLogin JIRA plugin
Setting up OneLogin
- Go to Apps > Find Apps. Search for and select the JIRA connector that supports SAML 2.0.
- On the Add JIRA page, select a Connector Version of SAML 2.0 and click Save to add the app and display the additional configuration tabs.
-
On the Configuration tab, enter the JIRA login URL.
Enter the login URL of the JIRA server, using the format
https://hostname:port
without a trailing slash "/". For example,https://jiraserver:8080
. -
On the Parameters tab, select how credentials are configured and map the JIRA Username field to a OneLogin attribute.
Typically, the JIRA Username should be set to Email name part.
-
On the SSO tab, copy the SAML 2.0 Endpoint (HTTP) URL and click View Details under the X.509 Certificate field to copy the certificate.
You will add these to your
jira_onelogin.xml
file in a later step. - On the Access tab, assign the JIRA app to OneLogin roles.
- Click Save.
Installing and configuring the JIRA plugin
-
Download the following files to the machine that hosts your JIRA service:
customauth-jira-6.1.2.jar
Downloadjira_onelogin.xml
DownloadEnsure that your JIRA_USER has read permission on these files. To perform this configuration, you must be logged in as a user with write permission on these files and the files in your JIRA_INSTALL directory.
-
Edit
jira_onelogin.xml
to add the X.509 certificate and SAML 2.0 Endpoint that you copied above.Paste the certificate between the
<certificate></certificate>
tags, removing all line feeds or carriage returns in the certificate value.Paste the SAML 2.0 Endpoint between the
<ssotarget></ssotarget>
tags.<config><certificate>MIICMTCCAiWgAwIBAgIBATADBgEAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQHDAMA8GA1UECgwIT25lTG9naW4xGTAXBgNVBAMMEGFwcC5vbmVsb2dpbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKvNTqqXMUv2kbVIaAeov5qOaVrbDQwj/65aaCs8CuXwC1Ks69Z3/D5qGHLDqVCR7+BhbVEiZRK/tb/LcW1qsFySXlgbGY5zqvHXjQ2ChYDofpTV8iMr7klHBXweP+pxvrknsmMUxlmaH7gcvRBN9UkdXds0pXTYBho0TnCDljEvktwKg7e02FyUgwM1xSJSYTm3IDVNSyfWiZ4H51vOUz80ulIUoHtu5WHPdvzP3vdokRbW5akN/rE2T6ws0CuTdd+LKyxdIuuJP3MseMG8HIf9C/4wWXkxWB9amCzujsmBJuaEduKX0OP7T8XyOZoQ7A0BjMl8eqxx/rOmr6O0ztAgMBAAEwAwYBAAMBAA==</certificate> <assertion>http://server1:8080/login.jsp</assertion> <issuer>http://server1:8080/secure/Dashboard.jspa</issuer> <ssotarget>https://app.onelogin.com/saml/signon/49097</ssotarget> </config>
-
Copy
jira_onelogin.xml
intoJIRA_INSTALL
andJIRA_INSTALL/bin
.The default location of the
JIRA_INSTALL directory
depends on the installation platform:Linux:
/opt/atlassian/jira
Windows:
c:\Program Files\Atlassian\JIRA
Your installation directory may be different.
- Copy
customauth-jira-6.1.2.jar
intoJIRA_INSTALL/atlassian-jira/WEB-INF/lib
. -
Edit
JIRA_INSTALL/atlassian-jira/WEB-INF/classes/seraph-config.xml
.-
Modify the
link.login.url
parameter.Find
<param-name>link.login.url</param-name>
and make sure thecorresponding <param-value>
value is:<param-value>/login.jsp?os_destination=${originalurl}</param-value>
-
Comment out (
<!-- -->
) the following line:<authenticator class="com.atlassian.jira.security.login.JiraSeraphAuthenticator"/>
-
Add the following line before the
<service>
tag:<authenticator class="com.onelogin.jira.saml.SSOAuthenticator"/>
-
-
Edit
JIRA_INSTALL/atlassian-jira/includes/loginform.jsp
.-
Find the following line:
<%@ page import="com.atlassian.jira.web.filters.JiraLoginInterceptor" %>
-
Add the following immediately after:
<%@ page import= "com.onelogin.jira.saml.SSOAuthenticator" %>
-
Find the following line:
request.setAttribute("loggedInUser", jiraAuthenticationContext.getLoggedInUser() == null ? null : jiraAuthenticationContext.getLoggedInUser().getDisplayName());
-
Add the following immediately after:
if(request.getParameter("SAMLResponse") == null) { String redirectURL = request.getSession().getAttribute("reqString").toString(); response.sendRedirect(redirectURL); }else{ if(jiraAuthenticationContext.getLoggedInUser() != null) { if(request.getSession().getAttribute("os_destination") != null) { String os_destination = request.getSession().getAttribute("os_destination").toString(); response.sendRedirect(os_destination); }else{ response.sendRedirect("/"); } } }
-
-
Edit
JIRA_INSTALL/atlassian-jira/secure/views/dashboard.jsp
.Find the line
wrm.requireResourcesForContext("jira.dashboard");
and add the following immediately after (and before the line with%>
):if(request.getSession().getAttribute("os_destination") != null){ String os_destination = request.getSession().getAttribute("os_destination").toString(); request.getSession().setAttribute("os_destination",null); response.sendRedirect(os_destination); }
- Restart the Atlassian JIRA service.