Using the JIRA On-Premises SAML App Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka0f0000000ay49kag&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2f29583593-using-the-jira-on-premises-saml-app
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Average Rating:
Using the JIRA On-Premises SAML App
Published: Jan 10, 2015   -   Updated: May 16, 2017

In addition to providing the JIRA Cloud Web application through the Okta Application Network, Okta also supports single sign-on integration between Okta and the JIRA On-Premises SAML app. To configure the integration, you must install Okta's custom JIRA authenticator on your JIRA server. The Current JIRA JAR Version History article lists the JIRA on-premise versions that support recent versions of the JAR. You can access the latest version of the okta-jira.jar file from the Okta Downloads page. Download the file before you begin the integration.

For more information about JIRA custom authenticators, refer to the page Single Sign-on Integration with JIRA and Confluence on the Atlassian website. For information about configuring provisioning for the app, see Configuring Provisioning for Jira On-Premise.

Note: To add the JIRA Cloud web app, see Using the Okta Applications Page.

Adding the JIRA On-Premises SAML App to Okta

Note: Steps 5 and 8 below provide links to other documents for additional instructions.

  1. Download the appropriate version of the okta-jira.jar file from the Okta Downloads page. For information about which version of the JAR to download for use with your JIRA On-Premises SAML app, see Current JIRA JAR Version History. Later you will copy this file to your JIRA server.

  2. Go to the Applications menu and choose Applications.

  3. Click Add Application and search for JIRA On-Premises SAML.

  4. Click Add.

  5. Follow the onscreen prompts. Detailed instructions for this part of the installation are provided in Using the Okta Applications Page.

    When you have completed initial installation, the Home page of the newly-created app appears.

  6. Click the Sign On tab.

    User-added image

  7. In the Settings section, click View Setup Instructions to open the article How to Configure JIRA On-Premise SAML Application.

    User-added image

  8. Perform the steps in How to Configure JIRA On-Premise SAML Application. The procedure is summarized as follows:

    1. Create a file okta-config-jira.xml on the JIRA server.

    2. Paste the provided configuration into okta-config-jira.xml.

    3. Update your [jira_webdir]/WEB-INF/classes/seraph-config.xml:

    4. Copy okta-jira.jar to the [jira_webdir]/WEB-INF/lib directory.

    5. Restart your JIRA service.


Optional – Filter User Access by IP Address, User Name, or Group Name

You can specify whether SAML authentication or service provider authentication is used by IP address, user name, group name or URL. This option is set in the okta-config-jira.xml file in the following tags:

The portions highlighted in blue in the following code show the relevant sections of an okta-config-jira.xml file:

<configuration>
  <applications>
    <application>
      <md:EntityDescriptor ...>....</md:EntityDescriptor>
    </application>
  </applications>

<!--

The IP range in the <oktaUsers> tag specifies the IP addresses that use the SAML toolkit for authentication. The values in the <ipFrom> and <ipTo> tags specify IP addresses. These tags can contain full IP addresses as shown below or a mask such as 182.0.. . The <ipTo> tag is optional. Omit it if the range is completely specified in the <ipFrom> tag. This range has higher priority than the range specified in the <spUsers> tag below.

The IP range in the <spUsers> tag specifies the IP addresses that use the native service provider authentication. The values in the <ipFrom> and <ipTo> tags specify IP addresses, and work as described above. This range has low priority than the range specified in the <oktaUsers> tag above.

-->
<allowedAddresses>
  <oktaUsers>
    <ipFrom>192.168.3.10</ipFrom>
    <ipTo>192.168.3.220</ipTo>
  </oktaUsers>
  <spUsers>
    <ipFrom>...</ipFrom>
    <ipTo>...</ipTo>
  </spUsers>
</allowedAddresses>


<!--The values in the <username> tags contained in the <spUsers> tag specify usernames to process with the native service provider authentication. Any number of <username></username> tags are permitted.
-->

<spUsers>
  <username>john.doe@acme.com</username>
  <username>john.smith@acme.com</username>
  <username>jira.user@acme.com</username>
  <username>confluence.user@acme.com</username>
</spUsers>

<!--
The values in the <groupname> tags contained in the <spGroups> tag specify group names to process with the native service provider authentication. Any number of <groupname></groupname> tags are permitted.
-->


<spGroups>
  <groupname>jira-grp</groupname>
  <groupname>confluence-grp</groupname>
</spGroups>


<!--
The values in the <url> tags contained in the <spUrls> tag specify containing URL part to process with the native service provider authentication. Any number of <url> tags are permitted.
For example. with the configuration below, the following URL will be secured by Jira native authenticator: http://myjira.com:8080/servicedesk/customer/portal
-->


  <spUrls>
      <url>servicedesk/customer/portal</url>
  </spUrls>
</configuration>

Processing Details

If there are any duplications in the IP addresses or if an IP address is inadvertently excluded, the following four rules determine the processing procedure.

  • If a user is matched in both ranges, the SAML toolkit is used for authentication.
  • If the <allowedAddresses> tag is not present, the SAML toolkit is used for authentication.
  • If a user is not matched in either range, the SAML toolkit is used for authentication.
  • The native Confluence authenticator (the service provider authenticator) is used only if a user is matched in the <spUsers> range and not in the <oktaUsers> range.

Post a Comment