I've successfully managed to extend JiraSeraphAuthenticator, replacing the login screen of JIRA with one of my own, essentially creating a SSO system. It works fine, but in my case, however, that is not enough, because I wish to use AD for identifying users.
Therefore, I'd like to get rid of any sign-in window altogether. I was thinking of replacing the login link in seraph-config.xml with a link of my JIRA plugin (something like /secure/SsoLogin!default.jspa), which could then basically log the user in automatically and then redirect it back to dashboard or wherever.
This is where I hit a wall:
1. How do I automatically log the user in? I can use ReST API to do a HTTP Post to "/rest/auth/1/session", but that only logs in for the URLConnection. Can I somehow pass the returned session id to the client? Could I maybe call the Authenticator's authenticate method directly?
2. I don't really know how to retrieve the username that needs to be logged in. Since the plugin executes on the server, I can't use LoginContext. Obviously, I can't also use HttpServletRequest's getRemoteUser(), because that will be null, since user is not logged in yet.
If this approach is wrong, could you point me in a better way to do this?
Community moderators have prevented the ability to post new answers.
I can point you to a better way to do it - our NTLM Authenticator for Jira and Confluence. For a price of mere NZ$150 (plus a license for IOPlex Jespa - the library that is doing the heavy work of authenticating against Active Directory) this would solve your problem nicely.
Try it for free - http://turningright.co.nz/display/TurningRight/NTLM+Authenticator
I finally got around to trying NTLM authenticator. It worked fine for regular users (that use passwords). However, there is a problem with users that use smartcards - they don't authenticate. When opening JIRA page I get greeted with a login screen.
Looking at Jespa's log there is this: "2012-09-20 15:12:20: HttpSecurityService: 192.168.145.60:60157: KDCTest successfully authenticated". Which suggests that it works fine there.
Do you have any ideas what might be the problem?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Andris, can you get in touch via our TurningRight website, I will need to see some logs, if it works on Jespa side, I am sure we can make it work with Jira.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
For the future - the issue was due to the smartcard user not being in the correct group i.e. they were not allowed to use Confluence.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.