Jira Data Center の SAML 認証を回避する
要約
The special query parameter auth_fallback allows bypass of SAML authentication if Jira has previously been configured to allow bypassing. Jira can be configured to accept this parameter either via REST API, or through the database via SQL. If auth_fallback has already been configured, the URL to display the login page is: <BASE_URL>/login.jsp?auth_fallback
If this URL redirects to the standard SAML login, confirm you have enabled the parameter properly by following the below steps.
Enable auth_fallback via the REST API
In order to make use of the auth_fallback functionality, we need to set a flag through the REST API. Follow one of the options below, depending on the Jira version that you have installed.
Use curl on the command line
For SSO authentication plugin 4.2.0 and newer bundled in Jira Server and Data Center 8.16 / JSM 4.16
For SSO authentication plugin 4.0.x-4.1.x bundled in Jira Server and Data Center 8.6-8.15 / JSM 4.5-4.15
For SSO authentication plugin 3.x and older bundled in Jira Server and Data Center BEFORE 8.5 / JSM 4.5
If the CURL command fails with an error 'Closing connection 0curl: (60) SSL certificate problem: unable to get local issuer certificate', you will need to run the CURL with the -k option to ignore the certificate:
curl -vvv -XPUT -k <BASE_URL>/rest/authconfig/1.0/saml -H 'Content-Type: application/json' -d '{"allow-saml-redirect-override": true}' -u admin_usernameAccess REST API via GUI client such as Postman
- Download Postman for your browser (or use your own if you have an alternate REST client)
- Open Postman
- Select GET from the dropdown menu and select Basic Auth from the Authorization tab (enter the admin credentials)
- Enter the following URL, adjusting to match your environment and Jira version:
- Jira Data Center 8.6 and newer: <BASE_URL>/rest/authconfig/1.0/sso
- Jira Data Center 8.5 and older: <BASE_URL>/rest/authconfig/1.0/saml
This should return something like the following after clicking SEND:
{
"sso-url": "https://dev-486166.oktapreview.com/app/jeancodev486166_jiradc_1/exk9awjfupbFE8VQp0h7/sso/saml",
"sso-issuer": "http://www.okta.com/exk9awjfupbFE8VQp0h7",
"certificate": "MIIDpDCCAoygAwIBAgIGAVl1oNWbMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00ODYxNjYxHDAaBgkqhkiG9w0BCQEW\nDWluZm9Ab2t0YS5jb20wHhcNMTcwMTA2MjExMjExWhcNMjcwMTA2MjExMzExWjCBkjELMAkGA1UE\nBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV\nBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDg2MTY2MRwwGgYJ\nKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\nn5+MbxEb0rRA5kDBxVvzNRO3otJS7UMB3ldTEqivmieXvkXiSLjVYQJr7gbg+OYAX12V35HmrIs6\nRiT/d4trsePI09hRjQD2eMXsd11v1eKmoyAbsV026LZTHoVpXZQyeK383chJLEp2G6lRVdA/uFpP\nj5OCSiB5jVhEdRXymbfeESecMbh5YJu9H025sDBiqyzDHmZXunPdmJ0fyFpY9Q98bMfi7KUICHff\nlncSYQRDYax17wTO/2Nu4akWVESiBaedBlXAKuEOoB26ysxbQiUATOJTKodiGydyxLAlk2DV+Uzz\nDAeN8mQw7y4MArrSDqTWnTbtg3SJl6e0Ho/CGQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBNy/LR\nG85t3nuk4bnh2XRWtOXlSKtq6fVMAtJ4kd8vxB8M8DyFWDIaoXTd35COs1p2LX176hdBKjgau8Ux\nNUOJ3MIOw8qQAwFWguBHFWYhrcgDCVtCvz3wLIBRZehW/tX2ah+M8ATsn8oLPHaL2W11Z0JOiEcV\nIdAu6CyR1iDcVjCT7DV3h8aUWaLjfnfcJasEqiTEs2DH1d8E+GdW/lWaGiAdVlnxmxv5rvkwFxvZ\nDJyk2VPxZmFVdK16cUbPgnk5Bge7wnNaQZOUBmUZKAKmzeA+22lhKPpv8IGTIwEpcoUHggAdhvrT\nHfcvAs4OyFQgeaBA5//UjZVa/MfAFmqP",
"user-attribute": null,
"allow-saml-redirect-override": false,
"include-customer-logins": false,
"redirect-on-login": false,
"enable-remember-me": false
}We will need to update the flag enable-authentication-fallback, allow-redirect-override or allow-saml-redirect-override (depending on your Jira version as detailed above) to true:
- To do this, open a new tab in Postman
- Select PUT or PATCH from the dropdown and enter the URL relevant to your Jira version
- Select Basic Auth from the Authorization tab and enter the credentials for the admin account
- Go to the Body tab, select Raw from the radio button
- Select JSON from the dropdown menu
Use the results from the command as a reference to set enable-authentication-fallback, allow-redirect-override or allow-saml-redirect-override (depending on your Jira version as detailed above) set to true:
{
"allow-saml-redirect-override": true
} This change can be reverted by changing true to false
You should get a 200 or 304 status when pressing the Send button and you will now be able to access <BASE_URL>/login.jsp?auth_fallback to bypass SAML. It's important to remember to set the flag back to false once the maintenance has been completed in order to restore the intended behavior.
Enable auth_fallback via the DB
If you're unable to access the above URL(s) there is a database workaround.
This has been tested in both Postgres and MySQL, please make sure when utilizing database workarounds that there is a viable backup of the database.
The following is a direct manipulation to enable the authentication fallback flag manually. This will require a restart of Jira as well.
Follow one of the instructions below, depending on your Jira version:
- Jira を停止します。
Run the following query to determine the ID to update in the database
select propertyentry.id from propertyentry join propertystring on propertyentry.id=propertystring.id where property_key like 'com.atlassian.plugins.authentication.sso.config.enable-authentication-fallback';You should receive output as below (if not, please try first with the curl or REST API above to enable this feature)
id ------- 17074 (1 row)- Now let's use that ID to update and allow the auth_fallback URL:
Take the ID and insert it into the following query:
update propertystring set propertyvalue = 'true' where id=17074;
- Jira の起動
- You should now be able to access <BASE_URL>/login.jsp
NOTE: The ID is 17074 in this example. Your ID will vary depending on the results of the first query we ran.
- Jira を停止します。
Run the following query to determine the ID to update in the database
select propertyentry.id from propertyentry join propertystring on propertyentry.id=propertystring.id where property_key like 'com.atlassian.plugins.authentication.sso.config.allow-redirect-override';You should receive output as below
id ------- 17074 (1 row)- Now let's use that ID to update and allow the auth_fallback URL:
Take the ID and insert it into the following query:
update propertystring set propertyvalue = 'true' where id=17074;
- Jira の起動
- You should now be able to access <BASE_URL>/login.jsp?auth_fallback
NOTE: The ID is 17074 in this example. Your ID will vary depending on the results of the first query we ran.
- Jira を停止します。
Run the following query to determine the ID to update in the database
select propertyentry.id from propertyentry join propertystring on propertyentry.id=propertystring.id where property_key='com.atlassian.plugins.authentication.samlconfig.allow-saml-override';You should receive the output as below
id ------- 17074 (1 row)- Now let's use that ID to update and allow the auth_fallback URL:
Take the ID and insert it into the following query:
update propertystring set propertyvalue = 'true' where id=17074;
- Jira の起動
- You should now be able to access <BASE_URL>/login.jsp?auth_fallback
NOTE: The ID is 17074 in this example. Your ID will vary depending on the results of the first query we ran.
Bypass SAML and login to Jira
Now that auth_fallback has been enabled, we can bypass SAML and log in. The URL to display the login page is: <BASE_URL>/login.jsp?auth_fallback
The auth_fallback parameter works only on the Jira Core/Software login page URL and is useful for troubleshooting SAML issues.
- If the configuration allows bypassing SAML authentication, then the user will end up on the regular login page
- If the configuration does not allow for using auth_fallback, then the regular SAML flow will be initiated
The auth_fallback parameter is not intended to be appended to the end of the Service Management portal login page (servicedesk/customer/user/login?destination=portals&auth_fallback).
In this case, use the Jira login.jsp page, and the user will be redirected to Service Management as configuration allows.
This documentation applies only to the native SSO 2.0 plugin provided by Jira. If using third-party SSO plugins, please refer to the plugin vendor documentation to get instructions on how to bypass their SSO redirection.