How to enable auth_fallback functionality when using SSO in Bitbucket Data Center

関連コンテンツ

  • 関連コンテンツがありません

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Fisheye および Crucible は除く

要約

When making SSO configuration changes or when setting up SSO for the first time, it's possible that a faulty or bad configuration could effectively lock out all users from the application if the SSO provider is set as the primary authentication method. This is because the users will be automatically sent to the non-functioning SSO provider login page, with no ability to access the local Bitbucket Server/Data Center login form.

The purpose of this guide is to show you how to enable and use Authentication Fall Back for SSO in Bitbucket Server, which will allow you to access a special fallback URL in order to log in locally and access the application and repair/disable the SSO configuration currently setup for the environment.

環境

Solution (SSO for Atlassian Server and Data Center 7.12 onwards)


ここをクリックして展開...

In order to make use of the auth_fallback functionality, the allow-redirect-override flag needs to be enabled via REST API. This can be done with other REST clients, or via cURL, but the following is a user-friendly approach:

  • Download Postman for your browser (or use your own if you have an alternate REST client)
  • Open Postman
  • Select GET from the dropdown menu and select Basic Auth from the Authorization tab
    (enter the admin credentials)
  • Enter the following URL, modified for your environment: <Base_URL>/rest/authconfig/1.0/sso
    (For example: https://bitbucketdc/rest/authconfig/1.0/sso

(warning) Add the contextPath only if you have a context path like /bitbucket in your Bitbucket Base URL. For example https://mycompany.com:443/bitbucketYou can set the context path for Bitbucket Server if you are running another Atlassian application, or Java web application, at the same hostname and context path as Bitbucket Server.

After clicking SEND you should receive a response with the following information:

{
  "show-login-form": true,
  "enable-authentication-fallback": false,
  "show-login-form-for-jsm": false,
  "last-updated": null
}

You can receive the same response by executing a cURL command similar to the one below:


cURL command 
curl -u <Admin> <Base_URL>/rest/authconfig/1.0/sso


We will need to set the enable-authentication-fallback field to true.

    To do this, open a new tab in Postman or other REST client

  • Select PATCH from the dropdown and enter the URL: <Base_URL>/rest/authconfig/1.0/sso
    (For Example: https://bitbucketdc/rest/authconfig/1.0/sso)
  • Select Basic Auth from the Authorization tab and enter the credentials for the admin account
  • Go to the Body tab, select Raw from the radio button. Select JSON from the dropdown menu.


Specify the following request body to set enable-authentication-fallback to true:

{
	"enable-authentication-fallback": true
}

The same can be also achieved using cURL command similar to the one below:

cURL command 
curl -u <Admin> -X PATCH -d '{"enable-authentication-fallback": true}' -H "Content-Type: application/json" <Base_URL>/rest/authconfig/1.0/sso


You should receive a response with the status code 200 or 304. Afterwards, you should be able to access <Base_URL>/login?auth_fallback to bypass SAML.

It's important to remember to set the flag back to false once the maintenance has been completed in order to restore the intended behaviour.


Solution (SSO for Atlassian Server and Data Center 4.x or newer version until 7.11)


ここをクリックして展開...

In order to make use of the auth_fallback functionality, the allow-redirect-override flag needs to be enabled via REST API. This can be done with other REST clients or via cURL, but the following is a user-friendly approach:

(warning) Add the contextPath only if you have a context path like /bitbucket in your Bitbucket Base URL. For example https://mycompany.com:443/bitbucketYou can set the context path for Bitbucket Server if you are running another Atlassian application, or Java web application, at the same hostname and context path as Bitbucket Server.


This should return something like the following after clicking SEND:

{
  "sso-type": "SAML",
  "sso-url": "https://dev-486166.oktapreview.com/app/jeancodev486166_bitbucketdc_1/exk9awjfupbFE8VQp0h7/sso/saml",
  "sso-issuer": "http://www.okta.com/exk9awjfupbFE8VQp0h7",
  "certificate": "MIIDpDCCAoygAwIBAgIGAVl1oNWbMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00ODYxNjYxHDAaBgkqhkiG9w0BCQEW\nDWluZm9Ab2t0YS5jb20wHhcNMTcwMTA2MjExMjExWhcNMjcwMTA2MjExMzExWjCBkjELMAkGA1UE\nBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV\nBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDg2MTY2MRwwGgYJ\nKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\nn5+MbxEb0rRA5kDBxVvzNRO3otJS7UMB3ldTEqivmieXvkXiSLjVYQJr7gbg+OYAX12V35HmrIs6\nRiT/d4trsePI09hRjQD2eMXsd11v1eKmoyAbsV026LZTHoVpXZQyeK383chJLEp2G6lRVdA/uFpP\nj5OCSiB5jVhEdRXymbfeESecMbh5YJu9H025sDBiqyzDHmZXunPdmJ0fyFpY9Q98bMfi7KUICHff\nlncSYQRDYax17wTO/2Nu4akWVESiBaedBlXAKuEOoB26ysxbQiUATOJTKodiGydyxLAlk2DV+Uzz\nDAeN8mQw7y4MArrSDqTWnTbtg3SJl6e0Ho/CGQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBNy/LR\nG85t3nuk4bnh2XRWtOXlSKtq6fVMAtJ4kd8vxB8M8DyFWDIaoXTd35COs1p2LX176hdBKjgau8Ux\nNUOJ3MIOw8qQAwFWguBHFWYhrcgDCVtCvz3wLIBRZehW/tX2ah+M8ATsn8oLPHaL2W11Z0JOiEcV\nIdAu6CyR1iDcVjCT7DV3h8aUWaLjfnfcJasEqiTEs2DH1d8E+GdW/lWaGiAdVlnxmxv5rvkwFxvZ\nDJyk2VPxZmFVdK16cUbPgnk5Bge7wnNaQZOUBmUZKAKmzeA+22lhKPpv8IGTIwEpcoUHggAdhvrT\nHfcvAs4OyFQgeaBA5//UjZVa/MfAFmqP",
  "user-attribute": null,
  "allow-redirect-override": false,
  "include-customer-logins": false,
  "redirect-on-login": false,
  "enable-remember-me": false
}


We will need to update the allow-redirect-override field to true

    To do this, open a new tab in Postman or other REST client


Use the results from the command as reference to set allow-redirect-override set to true:

{
  "allow-redirect-override": true
}


You should get a 200 or 304 status when pressing the Send button and you will now be able to access http://localhost:PORT/contextPath/login?auth_fallback to bypass SAML. It's important to remember to set the flag back to false once the maintenance has been completed in order to restore the intended behavior.


Solution (SSO for Atlassian Server and Data Center 3.x)


ここをクリックして展開...

In order to make use of the auth_fallback functionality, the allow-saml-redirect-override flag needs to be enabled via REST API. This can be done with other REST clients or via cURL, but the following is a user-friendly approach:

(warning) Add the contextPath only if you have a context path like /bitbucket in your Bitbucket Base URL. For example https://mycompany.com:443/bitbucketYou can set the context path for Bitbucket Server if you are running another Atlassian application, or Java web application, at the same hostname and context path as Bitbucket Server.


This should return something like the following after clicking SEND:

{
  "sso-url": "https://dev-486166.oktapreview.com/app/jeancodev486166_bitbucketdc_1/exk9awjfupbFE8VQp0h7/sso/saml",
  "sso-issuer": "http://www.okta.com/exk9awjfupbFE8VQp0h7",
  "certificate": "MIIDpDCCAoygAwIBAgIGAVl1oNWbMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00ODYxNjYxHDAaBgkqhkiG9w0BCQEW\nDWluZm9Ab2t0YS5jb20wHhcNMTcwMTA2MjExMjExWhcNMjcwMTA2MjExMzExWjCBkjELMAkGA1UE\nBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV\nBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDg2MTY2MRwwGgYJ\nKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\nn5+MbxEb0rRA5kDBxVvzNRO3otJS7UMB3ldTEqivmieXvkXiSLjVYQJr7gbg+OYAX12V35HmrIs6\nRiT/d4trsePI09hRjQD2eMXsd11v1eKmoyAbsV026LZTHoVpXZQyeK383chJLEp2G6lRVdA/uFpP\nj5OCSiB5jVhEdRXymbfeESecMbh5YJu9H025sDBiqyzDHmZXunPdmJ0fyFpY9Q98bMfi7KUICHff\nlncSYQRDYax17wTO/2Nu4akWVESiBaedBlXAKuEOoB26ysxbQiUATOJTKodiGydyxLAlk2DV+Uzz\nDAeN8mQw7y4MArrSDqTWnTbtg3SJl6e0Ho/CGQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBNy/LR\nG85t3nuk4bnh2XRWtOXlSKtq6fVMAtJ4kd8vxB8M8DyFWDIaoXTd35COs1p2LX176hdBKjgau8Ux\nNUOJ3MIOw8qQAwFWguBHFWYhrcgDCVtCvz3wLIBRZehW/tX2ah+M8ATsn8oLPHaL2W11Z0JOiEcV\nIdAu6CyR1iDcVjCT7DV3h8aUWaLjfnfcJasEqiTEs2DH1d8E+GdW/lWaGiAdVlnxmxv5rvkwFxvZ\nDJyk2VPxZmFVdK16cUbPgnk5Bge7wnNaQZOUBmUZKAKmzeA+22lhKPpv8IGTIwEpcoUHggAdhvrT\nHfcvAs4OyFQgeaBA5//UjZVa/MfAFmqP",
  "user-attribute": null,
  "allow-saml-redirect-override": false,
  "include-customer-logins": false,
  "redirect-on-login": false,
  "enable-remember-me": false
}


We will need to update the allow-saml-redirect-override field to true

    To do this, open a new tab in Postman or other REST client


Use the results from the command as reference to set allow-saml-redirect-override set to true:

{
  "allow-saml-redirect-override": true
}

You should get a 200 or 304 status when pressing the Send button and you will now be able to access http://localhost:PORT/contextPath/login?auth_fallback to bypass SAML. It's important to remember to set the flag back to false once the maintenance has been completed in order to restore the intended behavior.

最終更新日 2024 年 4 月 2 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する

関連コンテンツ

  • 関連コンテンツがありません
Powered by Confluence and Scroll Viewport.