Local user logins to Jira Service Management fail when Crowd SSO is enabled

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

症状

All local Jira Service Management customers and agents, including local admin accounts, are not able to log into Service Management at all. The following error is seen on-screen:

Sorry, your username and password are incorrect. Please try again.

The following generic authentication error appears in the atlassian-jira.log:

2014-10-30 13:06:41,806 http-bio-9000-exec-3 anonymous 786x735516x1 1j5qh57 198.76.89.7,184.28.17.74,204.156.15.149,127.0.0.1 /servicedesk/customer/portal/13/user/login login : 'servicedeskcustomer' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.

Jira is configured to achieve SSO through Crowd. That is: <jira_install>/atlassian-jira/WEB-INF/classes/seraph-config.xml has the Crowd SSO authenticator enabled and the default Jira authenticator disabled:

<!-- CROWD:START - If enabling Crowd SSO integration uncomment the following SSOSeraphAuthenticator and comment out the JiraSeraphAuthenticator below -->
<authenticator class="com.atlassian.jira.security.login.SSOSeraphAuthenticator"/>
<!-- CROWD:END -->
<!-- CROWD:START - The authenticator below here will need to be commented out for Crowd SSO integration -->
<!--authenticator class="com.atlassian.jira.security.login.JiraSeraphAuthenticator"/-->
<!-- CROWD:END -->

原因

When Jira is configured to achieve SSO through Crowd, only users from Crowd will be allowed to authenticate. Local Jira users, including administrators, will not be able to log in unless Crowd SSO is disabled.

ソリューション

This problem cannot be resolved by having both Crowd SSO and the Jira local (internal) directory active at the same time. The only choices are to have Crowd SSO OR the Jira local (internal) directory, but not both.

To enable the Jira local (internal) directory, which will disable Crowd SSO:

tip/resting Created with Sketch.

Jira Service Management Customers WILL NOT count toward your Jira license in this scenario.

You will need to disable Crowd SSO to log in as a local user (or any other non-Crowd user, e.g. an LDAP account):

  1. Jira をシャットダウンします。

  2. Edit <jira_install>/atlassian-jira/WEB-INF/classes/seraph-config.xml

  3. Uncomment the default Jira authenticator:

    <authenticator class="com.atlassian.jira.security.login.JiraSeraphAuthenticator"/>
  4. Comment out the Crowd SSO authenticator:

    <!-- <authenticator class="com.atlassian.jira.security.login.SSOSeraphAuthenticator"/> -->
  5. Start Jira back up

If you do not remember your local administrator username or password, please see the following documentation on how you can locate or reset its password via the database: Retrieving the Jira Administrator

To enable Crowd SSO to allow Jira Service Management Customer's to login, which will disable the Jira local (internal) directory:

tip/resting Created with Sketch.

The Jira Service Management Customer's WILL COUNT toward your Crowd licensing which will entail additional licensing costs.


In Jira:

  • Make sure the connection to the crowd server has both read and write permission

  • Make sure the crowd server is the top most directory in the "Users Directory" section of Jira admin

In Crowd:

  • Make sure the directory associated with Jira has "Allow all to authenticate" set to true

    This ensures that customers created through Jira Service Management are created properly in crowd and can authenticate even though they are in no groups.

注意: 

  • Users that have already been created in the local Jira directory will still be unable to log in while Crowd (SSO) is configured.

  • Sometimes, there is a short delay after creating a user where Crowd will not have synchronized it's directory with Jira. It is possible to manually force a sync in the admin UI. During this window, users will also be unable to log in.

This issue is related to this report:

JSD-923 - Getting issue details... STATUS

JSD-1244 - Getting issue details... STATUS

最終更新日 2020 年 11 月 23 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.