Windows 統合認証の構成ミスによって、SSO/AD FS で Jira モバイル アプリにログインできない

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: Server と Data Center のみ - この記事は、サーバーおよびデータセンター プラットフォームのアトラシアン製品にのみ適用されます。

問題

The app either throws an error or shows a blank page when user tries to log in via SSO/AD FS

This problem affects both the Jira and Confluence Server and Data Center mobile apps. 

原因

As per the KB article from Microsoft:

By default, Windows Integrated Authentication (WIA) is enabled in Active Directory Federation Services (AD FS) in Windows Server for authentication requests that occur within the organization's internal network (intranet) for any application that uses a browser for its authentication.

We don’t support Windows Integrated Authentication yet, but it is still being used by your server because the app’s User-Agent header matches the user-agent components defined in your server’s WIASupportedUserAgentStrings setting.

For both iOS and Android we compose the User-Agent header value by concatenating the standard WebView User-Agent and unique app identifier. 

ユーザー エージェント形式の例

iOS User-Agent

形式
Mozilla/5.0 (<system-information>) <platform> (<platform-details>) Safari/<technical-version> AtlassianMobileApp
Mozilla/5.0 (iPhone; CPU iPhone OS 14_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Safari/604.1 AtlassianMobileApp

Android User-Agent

形式
Mozilla/5.0 (<system-information>) <platform> (<platform-details>) AtlassianMobileApp
Mozilla/5.0 (Linux; Android 9; Mi A1 Build/PKQ1.180917.001) AppleWebKit/537.36 (KHTML, like Gecko) AtlassianMobileApp

ソリューション

This resolution requires your users to be running the following app versions:

  • Confluence Server and Data Center app v 1.24 and later (iOS) and v 0.14 (Android)
  • Jira Server and Data Center app v 1.27 and later (iOS) and v 0.21.6 (Android)

To resolve this issue you will need to exclude the User-Agent from WIASupportedUserAgents. See Configuring intranet forms-based authentication for devices that do not support WIA in the Microsoft documentation to find out how to do this

For instance, if you have “Mozilla/5” listed in your WIA user-agent string components subset you might consider using a regex match feature (available in Windows Server 2016 or later) to enable WIA for anything but AtlassianMobileApp.

=~^(?!.*AtlassianMobileApp)Mozilla\/5.*

Alternatively, you can also achieve the same result by replacing the broad-level “Mozilla/5” component with the narrowed ones:

  • Mozilla/5.0 (Macintosh

  • Mozilla/5.0 (Windows

This way only requests coming from Windows or macOS will be redirected to WIA. The mobile apps won’t go through WIA.

Not an admin? Send this page to your administrator and ask them to investigate the issue for you.

説明

Windows 統合認証の構成ミスによって、SSO/AD FS で Jira モバイル アプリにログインできない

製品Jira
最終更新日 2021 年 8 月 20 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.