vztxo (vztxo) asked a question.
Jira on premises and SSO with local users
Hi,
I'm following the instructions to setup jira on premises with SSO.
We would like to roll the SSO slowly, and also leave some users as local (admin, etc).
I saw the option to add spGroups (and other spXXXXX options).
The instructions also ask me to change the login.jsp which will force a redirect to okta when someone goes to the jira login page.
My question is if someone has experience with this, does the local users (admin, etc) should also log in via the okta login page? (even if they don't exist in okta)
Thanks,
e
Hi Eyal,
Thank you for reaching out to Okta Support.
You can define which user will login using the login/pass by defining the line in the okta-config-jira.xml File:
If this section defined, SP flow can be disabled for users, listed below. In this case they will be forced to login using their login/pass.
<spUsers>
<username>user1</username>
<username>user2</username>
<username>user3</username>
</spUsers>
This lines will not be created by default in the okta-config-jira.xml file, you will have to define each line in the correct parameter accordingly to the Okta Jira Authenticator Configuration Guide
https://saml-doc.okta.com/Provisioning_Docs/Okta_Jira_Authenticator_Configuration_Guide
You can also add a specific group of admins/users that you will like to use the Jira login/pass by defining the following lines:
If this section defined, SP flow can be disabled for users assigned to groups in Jira,listed below. In this case they will be forced to login using their login/pass.
<spGroups>
<groupname>group1</groupname>
<groupname>group2</groupname>
<groupname>group3</groupname>
</spGroups>
Note: The above examples are not in the correct format, please follow the above KB for the correct lines.
The urlwrite rule and the permanent redirect from login.jsp will be ignored if the above lines are defined.
Kind regards,
Sergiu Costea
Technical Support Engineer
Okta Global Customer Care
This is exactly what we needed! Thank you so much!
thanks for the reply.
I tried this but for some reason it redirects me always to the Okta page.
I don't have any <allowedAddresses> block. Is this mandatory?
In my okta-config-jira.xml I have:
.
.
.
</applications>
<oktaProtectedUrls>
<url>/browse/</url>
<url>/secure/</url>
</oktaProtectedUrls>
<loginUri>https://company.okta.com/app/jira_onprem/easasdfasdyasdfasdf/sso/saml</loginUri>
<spGroups>
<groupname>internal_users</groupname>
</spGroups>
<spUsers>
<username>jira.admin</username>
</spUsers>
<spUrls>
<url>servicedesk/customer/portal</url>
</spUrls>
</configuration>
Eyal
Okta Help Center wrote on 07.12.18 02:38:
Hi Eyal, Thank you for reaching out to Okta Support. You can define which user will login using the login/pass by defining the line in the okta-config-jira.xml File: If this section defined, SP flow can be disabled for users, listed below. In this case they will be forced to login using their login/pass. <spUsers> <username>user1</username> <username>user2</username> <username>user3</username> </spUsers> This lines will not be created by default in the okta-config-jira.xml file, you will have to define each line in the correct parameter accordingly to the Okta Jira Authenticator Configuration Guide https://saml-doc.okta.com/Provisioning_Docs/Okta_Jira_Authenticator_Configuration_Guide You can also add a specific group of admins/users that you will like to use the Jira login/pass by defining the following lines: If this section defined, SP flow can be disabled for users assigned to groups in Jira,listed below. In this case they will be forced to login using their login/pass. <spGroups> <groupname>group1</groupname> <groupname>group2</groupname> <groupname>group3</groupname> </spGroups> Note: The above examples are not in the correct format, please follow the above KB for the correct lines. The urlwrite rule and the permanent redirect from login.jsp will be ignored if the above lines are defined. Kind regards, Sergiu Costea Technical Support Engineer Okta Global Customer Care
[https://support.okta.com/help/img/userprofile/default_profile_45_v2.png?fromEmail=1]<https://support.okta.com/help/0050Z000008eSJC?fromEmail=1&s1oid=00DA0000000KWYD&s1nid=0DB0Z000000CbrC&s1uid=0050Z000008f8c1&s1ext=0&emkind=chatterCommentNotification&emtm=1544146694980>
Sergiu Costea<https://support.okta.com/help/0050Z000008eSJC?fromEmail=1&s1oid=00DA0000000KWYD&s1nid=0DB0Z000000CbrC&s1uid=0050Z000008f8c1&s1ext=0&emkind=chatterCommentNotification&emtm=1544146694980> (Vendor Management)
Hi Eyal,
Thank you for reaching out to Okta Support.
You can define which user will login using the login/pass by defining the line in the okta-config-jira.xml File:
If this section defined, SP flow can be disabled for users, listed below. In this case they will be forced to login using their login/pass.
<spUsers>
<username>user1</username>
<username>user2</username>
<username>user3</username>
</spUsers>
This lines will not be created by default in the okta-config-jira.xml file, you will have to define each line in the correct parameter accordingly to the Okta Jira Authenticator Configuration Guide
https://saml-doc.okta.com/Provisioning_Docs/Okta_Jira_Authenticator_Configuration_Guide
You can also add a specific group of admins/users that you will like to use the Jira login/pass by defining the following lines:
If this section defined, SP flow can be disabled for users assigned to groups in Jira,listed below. In this case they will be forced to login using their login/pass.
<spGroups>
<groupname>group1</groupname>
<groupname>group2</groupname>
<groupname>group3</groupname>
</spGroups>
Note: The above examples are not in the correct format, please follow the above KB for the correct lines.
The urlwrite rule and the permanent redirect from login.jsp will be ignored if the above lines are defined.
Kind regards,
Sergiu Costea
Technical Support Engineer
Okta Global Customer Care
View/Answer<https://support.okta.com/help/0D71Y000004LlIt?fromEmail=1&s1oid=00DA0000000KWYD&s1nid=0DB0Z000000CbrC&s1uid=0050Z000008f8c1&s1ext=0&emkind=chatterCommentNotification&emtm=1544146694980>
or reply to this email
Replying to
[https://support.okta.com/help/img/userprofile/default_profile_45_v2.png?fromEmail=1]<https://support.okta.com/help/0050Z000008f8c1?fromEmail=1&s1oid=00DA0000000KWYD&s1nid=0DB0Z000000CbrC&s1uid=0050Z000008f8c1&s1ext=0&emkind=chatterCommentNotification&emtm=1544146694980>
Eyal Marantenboim<https://support.okta.com/help/0050Z000008f8c1?fromEmail=1&s1oid=00DA0000000KWYD&s1nid=0DB0Z000000CbrC&s1uid=0050Z000008f8c1&s1ext=0&emkind=chatterCommentNotification&emtm=1544146694980> (Customer) asked a question.
Sunday, December 2, 2018 7:03 AM<https://support.okta.com/help/0D51Y00005lEnmk?fromEmail=1&s1oid=00DA0000000KWYD&s1nid=0DB0Z000000CbrC&s1uid=0050Z000008f8c1&s1ext=0&emkind=chatterCommentNotification&emtm=1544146694980&OpenCommentForEdit=1>
Jira on premises and SSO with local users
Hi,
I'm following the instructions to setup jira on premises with SSO.
We would like to roll the SSO slowly, and also leave some users as local (admin, etc).
I saw the option to add spGroups (and other spXXXXX options).
The instructions also ask me to change the login.jsp which will force a redirect to okta when someone goes to the jira login page.
My question is if someone has experience with this, does the local users (admin, etc) should also log in via the okta login page? (even if they don't exist in okta)
Thanks,
e
[https://support.okta.com/help/img/userprofile/default_profile_45_v2.png?fromEmail=1]<https://support.okta.com/help/0050Z000008eSJC?fromEmail=1&s1oid=00DA0000000KWYD&s1nid=0DB0Z000000CbrC&s1uid=0050Z000008f8c1&s1ext=0&emkind=chatterCommentNotification&emtm=1544146694980>
Sergiu Costea<https://support.okta.com/help/0050Z000008eSJC?fromEmail=1&s1oid=00DA0000000KWYD&s1nid=0DB0Z000000CbrC&s1uid=0050Z000008f8c1&s1ext=0&emkind=chatterCommentNotification&emtm=1544146694980> (Vendor Management)
Hi Eyal,
Thank you for reaching out to Okta Support.
You can define which user will login using the login/pass by defining the line in the okta-config-jira.xml File:
If this section defined, SP flow can be disabled for users, listed below. In this case they will be forced to login using their login/pass.
<spUsers>
<username>user1</username>
<username>user2</username>
<username>user3</username>
</spUsers>
This lines will not be created by default in the okta-config-jira.xml file, you will have to define each line in the correct parameter accordingly to the Okta Jira Authenticator Configuration Guide
https://saml-doc.okta.com/Provisioning_Docs/Okta_Jira_Authenticator_Configuration_Guide
You can also add a specific group of admins/users that you will like to use the Jira login/pass by defining the following lines:
If this section defined, SP flow can be disabled for users assigned to groups in Jira,listed below. In this case they will be forced to login using their login/pass.
<spGroups>
<groupname>group1</groupname>
<groupname>group2</groupname>
<groupname>group3</groupname>
</spGroups>
Note: The above examples are not in the correct format, please follow the above KB for the correct lines.
The urlwrite rule and the permanent redirect from login.jsp will be ignored if the above lines are defined.
Kind regards,
Sergiu Costea
Technical Support Engineer
Okta Global Customer Care
Thursday, December 6, 2018 5:38 PM<https://support.okta.com/help/0D71Y000004LlIt?fromEmail=1&s1oid=00DA0000000KWYD&s1nid=0DB0Z000000CbrC&s1uid=0050Z000008f8c1&s1ext=0&emkind=chatterCommentNotification&emtm=1544146694980>
You're receiving emails when someone "Comments on my posts."
To change or turn off Okta Help Center email, log in<https://support.okta.com/help/_ui/core/feeds/notification/ChatterEmailSettings?setupid=CollaborationEmailSettings&fromEmail=1&s1oid=00DA0000000KWYD&s1nid=0DB0Z000000CbrC&s1uid=0050Z000008f8c1&s1ext=0&emkind=chatterCommentNotification&emtm=1544146694980> as 00u1p8bpj4s2tz2y7356eyal.marantenboim@leverton.ai<mailto:00u1p8bpj4s2tz2y7356eyal.marantenboim@leverton.ai>.
Are notifications about this post getting annoying? Reply to this email with the word " mute ".
Okta 301 Brannon Street San Francisco, CA
[Okta Help Center]
Okta support..
I added the <spUsers> to the okta config jira xml.. do i need to set an spURL as well? Just setting the spUsers to a local account doesn't seem to do anything ,because the URL automatically redirects back to okta..
What URL would i need to set it to? the origin /login.jsp?