Integrating Atlassian JIRA with WSO2 Identity Server

This post is on how you can configure SAML 2 based SSO for Atlassian JIRA, using the WSO2 Identity Server as the Identity Provider. Note that this configuration is very similar to the configuration for Confluence, which can be found here, since both Confluence and JIRA are products of Atlassian.

Prerequisites

WSO2 Identity Server

The WSO2 Identity Server download link and the installation guide are given below,

Atlassian JIRA

The JIRA download link and installation guide and given below. This tutorials has been tested with the JIRA Version 6.4, slight modifications might be required for other versions.

LastPass JIRA SAML Plugin

The plugin is required to configure SAML 2.0 SSO for JIRA. The download link is given below and the installation guide can be found in the file named INSTALL in the main folder.

IMPORTANT: Step 1 should be completed before the plugin installation as the plugin installation disables the default user login process which makes it difficult to do configurations inside the JIRA dashboard.

Step-by-Step Process

Step 1: Configuring JIRA LDAP

This step requires a working knowledge on LDAP, follow this link if you are unfamiliar with the concept.

JIRA by default uses an internal LDAP to keep track of the users and permissions. In order to integrate the WSO2 IS with JIRA, both LDAPs should point to the same LDAP instance. Here we are configuring the JIRA LDAP instance to point to the WSO2 IS LDAP.

  1. Once inside the JIRA dashboard, click on the cog icon, on the top pane and select User Management.
  2. Click on the User Directories link on the left-hand pane.
  3. Select Add Directory then select LDAP from the drop down menu.
  4. The configuration is given below

1 2 3 4 5

Test the configuration while having the WSO2 IS running. Then save.

NOTES

  • This configuration was done after configuring the WSO2 IS to accept email authentication. The configuration would slightly change unless this is done. See here for more information.
  • WSO2 IS by default uses port 10389 for the LDAP, this can be changed by changing the  <IS_HOME>/repository/conf/user-mgt.xml file. 
Step 2: Configuring JIRA
  1. Stop JIRA and install the LastPass plugin.
  2. Change the name of idp-metadata.xml.sample to idp-metadata.xml and sp-metadata.xml.sample to sp-metadata.xml. These two files are found in your <JIRA_HOME> directory.
  3. Change the <JIRA_HOME>/idp-metadata.xml as follows
  • Change the entityID value to the issuer name you will be configuring the Service Provider in your IdP with. For this tutorial we will be setting this as “LastPass-JIRA”.
  • Replace the <md:SingleSignOnService….> tag with
<md:SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://localhost:9443/samlsso"/>
  • Add this after the replacement
<md:SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:
bindings:HTTP-POST" 
Location="https://localhost:9443/samlsso"/>
  • Replace the <md:SingleLogoutService….> tag with
<md:SingleLogoutService 
Binding="urn:oasis:names:tc:SAML:2.0:
bindings:HTTP-Redirect" 
Location="https://localhost:9443/samlsso" 
ResponseLocation="https://localhost:9443/samlsso"/>
  • Replace the “cert-goes-here” between the <ds:X509Certificate> tags with your certificate. WSO2 IS default certificate can be found here.

(Use without the –BEGIN– and –ENG– tags)

NOTE: The edited idp-metadata.xml file should look like this.

  4. Change the <JIRA_HOME>/sp-metadata.xml as follows

  • Change the entityID to the issuer value as above, in this case to “LastPass-JIRA”.
  • Replace “http://jira.example.com ” with your JIRA URL, in this case that is “http://localhost:PORT ” .  Replace PORT with the port JIRA is running on, by default it is 8080. I have configured JIRA with port 8070.

NOTE: The edited sp-metadata.xml file should look like this.

5. Add the following line after initializing “originalURL” in <JIRA_HOME>/atlassian-jira/saml_acs.jsp

originalUrl = “/secure/Dashboard.jspa“;

Step 3: Configuring WSO2 IS
  1. Select Add under the Service Provider section on the left pane.
  2. Give a name and register the Service Provider.
  3. Click on “Inbound Authentication Configuration” under that click on “SAML Web SSO Configuration”. Then click on “Configure”
  4. Give the following values
    • Issuer = LastPass-JIRA (The value has to equal the value we gave for issuer in Step 2)
    • Assertion Consumer URL = http://localhost:8070/saml_acs.jsp
    • Check “Use fully qualified username in the NameID”
    • Check “Enable Response Signing
    • Check “Enable Assertion Signing”
    • Check “Enable Single Logout
  5. Click Register then update.
Step 4: Patch the WSO2 IS

The Identity Server needs to be patched to include an attribute of the authentication statement. This is an optional attribute according to the SAML Specification, so the IS does not set it. The plugin searches for this attribute and throws an error if it is unavailable.

Add the following line in the buildSAMLAssertion() method after initializing the authStmt in this class,

authStmt.setSessionNotOnOrAfter(notOnOrAfter);

Step 5: Run the Server

Now we are all set, run JIRA and the WSO2 IS. The JIRA default url should redirect you to the WSO2 IS authentication page. When you enter the credentials, you will be redirected to the JIRA Dashboard of the logged in user.

Troubleshooting

 

Hope this helps, do drop a comment if there’s any thing you need clarified. Have fun!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s