We are trying to set up JIRA to authenticate via Okta. We use AWS ELB and have a healthcheck that runs to ensure the app is available. The ELB looks for a return code of 200. Okta returms a 302 (redirect). The healthcheck looks for <JIRA base url>/status. This url does not require authentication, so why is Okta trying to redirect the healthcheck?
Is the ELB healthchecking Okta or JIRA? You said "Okta returns a 302 redirect" so it sounds like your ELB might be going through Okta to check the JIRA app. It seems like it should be checking JIRA directly, not going through Okta. If you're trying to healthcheck the JIRA app through Okta, you'll get a 302 redirect to JIRA. So that would be the first thing I'd ensure (the ELB is checking JIRA directly).
If that's already the case, JIRA (or some other system that intercepts the healthcheck) would be redirecting to Okta with a 302. If that's the case, it sounds like JIRA is configured to authenticate a user that tries to hit that endpoint, or something else is intercepting the request and kicking it back to Okta for authentication. For confirmation, can you provide the Okta url that's in the 302 from JIRA?
Wils, The ELB checks JIRA directly, it should not be going thorugh Okta. Here is the write-out to the log file: 2015-12-08 15:47:36,807 http-bio-8080-exec-2 INFO anonymous 947x22x22 - 10.221.5.80 /status [jira.authenticator.okta.OktaJiraAuthenticator] User wasn't fou nd not in session, nor in assertion, redirecting to: https://mhe.oktapreview.com/app/jira_onprem/exk51bvii8MdvN1hw0h7/sso/saml?RelayState=https%3A%2F%2Fjir adev.mheducation.com%2Fstatus
I think the issue is in the way Okta was configure. It is configured to use the <JIAR base url>. I beleave it should be configured to use the <JIRA base url>/secure/Dashboard.jspa
Yes that thought is probably correct. Looks like JIRA is expecting a valid session for the /status endpoint. I'm not sure how JIRA can be configured to exclude that endpoint and whether or not it's on the Okta side or the JIRA side, but someone else in the community may be able to help you there. I believe the configuration change will need to be made in JIRA, but am not familiar with that interaction specifically.