Using the external-login endpoint with Multiple IdPs
プラットフォームについて: Data Center のみ - この記事は、Data Center プラットフォームのアトラシアン製品にのみ適用されます。
この KB は Data Center バージョンの製品用に作成されています。Data Center 固有ではない機能の Data Center KB は、製品のサーバー バージョンでも動作する可能性はありますが、テストは行われていません。サーバー*製品のサポートは 2024 年 2 月 15 日に終了しました。サーバー製品を利用している場合は、アトラシアンのサーバー製品のサポート終了のお知らせページにて移行オプションをご確認ください。
*Fisheye および Crucible は除く
要約
With the earlier versions of SSO for Atlassian Server and Data Center plugins, there was an option to set SSO as secondary authentication.
When the SSO was configured as secondary authentication, it had to be accessed using end point /plugins/servlet/external-login. Many customers used this, to setup a end user portals (Non IDP), which would have many applications as Icons for the user to chose from. Jira is one them. These icons would point to JIRA_BASE_URL/plugins/servlet/external-login URL, which would cause Jira to initiate SSO login for the user.
環境
SSO for Atlassian Datacenter version 4.20 and later
診断
As part of the changes introduced with version 4.2.0 the /plugins/servlet/external-login endpoint does not function without a database ID of an identity provider.
原因
SSO for Atlassian Server and Data Center plugin version 4.2.0 introduces support for Multiple IdPs.
With this, the option to configure hidden identity providers like in secondary authentication was removed - if an identity provider is configured they will be usable.
ソリューション
In certain situations when the environment does not want to the end users to select which IDP to use, the endpoint /plugins/servlet/external-login can be used with the database ID of the IdP config. For example, in the below situation, the endpoint /plugins/servlet/external-login/1 would start the SSO flow for identity provider with name SAML config. The IdP date is stored in the AO table AO_ED669C_IDP_CONFIG. It can also be obtained by issuing a GET request to the /rest/authconfig/1.0/idps endpoint.
Similarly the endpoint /plugins/servlet/external-login/2 would start the SSO flow for the identity provider OpenID.
As an alternative portals can be implemented by using login URL of the application (for example login.jsp in case of Jira). If there is only one IdP defined and login form is disabled, this will trigger the SSO flow for the sole IdP. If there are multiple ways of logging in (ie login form is enabled or multiple IdPs are configured), this will render a login gateway where the preferred authentication method can be selected.