NimbostratusHas anyone managed to get SSO with APM working for Atlasssian Jira, iam having problems populating the SSO form with the right data and the gadget does not seem to work. I have been using /secure/Dashboard.jspa as the start uri and /rest/dashboards/1.0/10000/gadget/0/prefs as the form action together with os_username as the parameter for username and os_password for the password. Any ideas or tips appreciated.
/Craig
EmployeeHi Craig,
Can you take an HTTPWatch going direct to the application and share it? If you can make sure to clear cache and cookies first. I can then look at the application and help suggest a configuration that will work for you.
-Seth
CirrostratusOne think to note with JIRA is that you MUST have an iRule to bypass APM if the requires originates from the backend server. JIRA uses an internal method to call back into it self to render the gadgets. These requests only occur at server startup. Otherwise, you can also use Basic Auth to the backend for SSO.
Here is the iRule that I use:
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] mask 255.255.0.0] equals "10.7.0.0" } {
Disable APM for Data-center clients (Application-to-Application)
set access_bypass 1
return
}
}
when HTTP_REQUEST {
Handle selective disablement of the Access policy. This variable could be defined in another iRule or Policy.
if {[info exists access_bypass]} {
Only manipulate the ACCESS profile if access_bypass has been defined; otherwise use default behavior
if {$access_bypass == 1} {
if {!([HTTP::uri] starts_with "/F5Networks-SSO")} {
Only disable the ACCESS policy if it is not the URL for multi-domain auth cookies
ACCESS::disable
}
} else {
ACCESS::enable
}
}
}
JIRA has a little caveat when using SSO for the gadets... During server start-up it makes an outbound HTTP call thru the load-balanced address to resolve the gadget meta data. To make that work, you must disable SSO for the pool member IP address. I have also had good success with using Basic Auth to do the SSO. However, Basic Auth fails then the JIRA session has timed out on the backend.
Here is the iRule that you can apply to fix the gadget issue.
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] mask 255.255.0.0] equals "10.7.0.0" } {
Disable APM for Data-center clients (Application-to-Application)
set access_bypass 1
return
}
}
when HTTP_REQUEST {
Handle selective disablement of the Access policy. This variable could be defined in another iRule or Policy.
if {[info exists access_bypass]} {
Only manipulate the ACCESS profile if access_bypass has been defined; otherwise use default behavior
if {$access_bypass == 1} {
if {!([HTTP::uri] starts_with "/F5Networks-SSO")} {
Only disable the ACCESS policy if it is not the URL for multi-domain auth cookies
ACCESS::disable
}
} else {
ACCESS::enable
}
}
}
It looks like there are SAML plugins, you could just use APM as IdP.
https://marketplace.atlassian.com/plugins/com.bitium.jira.SAML2PluginJira/server/reviews
This is probably a more standard way to do it.
CirrostratusThat is a third-party / unsupported application. So your results may vary. Using Basic Auth / iRule works out-of-the-box.
Nimbostratushi craig , after adding irule were you able to populate the sso . even am in same boat and i was unable to populate/pass the username&password to the action form.
CirrusIs there any update regarding this topic? Because atm I'm also trying to populate the SSO Credentials from my first login page to the jira login page. But i always get wrong username/password.
Also tried with different start URIs in the sso from
NimbostratusYou need to point at the login.jsp form and not the dashboard login gadget. I have this working for desktop browsers. Still having trouble with mobile browsers though.
Here is my irule for url rewrite
when ACCESS_SESSION_STARTED {
if { [string tolower [HTTP::uri]] starts_with "/browse" } {
set append_uri [HTTP::query]
ACCESS::session data set session.server.landinguri [HTTP::uri]$append_uri
} elseif { [string tolower [HTTP::uri]] starts_with "/plugins" } {
set append_uri [HTTP::query]
ACCESS::session data set session.server.landinguri [HTTP::uri]$append_uri
} else {
ACCESS::session data set session.server.landinguri "/login.jsp"
}
}Your SSO should be "Forms - Client Initiated" with form parameters being "os_username" and "os_password" secure true. Form detection is URI
NimbostratusHi Dan,
We have configured it, However, we are facing issue with logout. when we click logout the session doesn't end. it keeps running. is there any link of jira/confluence that we can configure in F5 saml for logging out session?
Logout? - where on f5 apm or Atlassian Jira?
SSO Log out is difficult, depending on how you have configured it.
So logout could log you out of all sessions on the f5, log you at application level only or just one application on the f5 (but that needs a bit of work / configurtion on the f5 side first!)
So, where is the log out button you are pressing? on the f5 or on the application?
