Automatic JIRA login using AD user

Andris Bērziņš
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 19, 2012

I've successfully managed to extend JiraSeraphAuthenticator, replacing the login screen of JIRA with one of my own, essentially creating a SSO system. It works fine, but in my case, however, that is not enough, because I wish to use AD for identifying users.

Therefore, I'd like to get rid of any sign-in window altogether. I was thinking of replacing the login link in seraph-config.xml with a link of my JIRA plugin (something like /secure/SsoLogin!default.jspa), which could then basically log the user in automatically and then redirect it back to dashboard or wherever.

This is where I hit a wall:

1. How do I automatically log the user in? I can use ReST API to do a HTTP Post to "/rest/auth/1/session", but that only logs in for the URLConnection. Can I somehow pass the returned session id to the client? Could I maybe call the Authenticator's authenticate method directly?

2. I don't really know how to retrieve the username that needs to be logged in. Since the plugin executes on the server, I can't use LoginContext. Obviously, I can't also use HttpServletRequest's getRemoteUser(), because that will be null, since user is not logged in yet.

If this approach is wrong, could you point me in a better way to do this?

2 answers

1 accepted

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

1 vote
Answer accepted
Ed Letifov _TechTime - New Zealand_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 19, 2012

I can point you to a better way to do it - our NTLM Authenticator for Jira and Confluence. For a price of mere NZ$150 (plus a license for IOPlex Jespa - the library that is doing the heavy work of authenticating against Active Directory) this would solve your problem nicely.

Try it for free - http://turningright.co.nz/display/TurningRight/NTLM+Authenticator

Andris Bērziņš
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
September 19, 2012

I finally got around to trying NTLM authenticator. It worked fine for regular users (that use passwords). However, there is a problem with users that use smartcards - they don't authenticate. When opening JIRA page I get greeted with a login screen.

Looking at Jespa's log there is this: "2012-09-20 15:12:20: HttpSecurityService: 192.168.145.60:60157: KDCTest successfully authenticated". Which suggests that it works fine there.

Do you have any ideas what might be the problem?

0 votes
TechTime Initiative Group June 18, 2013

Andris, can you get in touch via our TurningRight website, I will need to see some logs, if it works on Jespa side, I am sure we can make it work with Jira.

TechTime Initiative Group September 4, 2013

For the future - the issue was due to the smartcard user not being in the correct group i.e. they were not allowed to use Confluence.

TAGS
AUG Leaders

Atlassian Community Events