Issues with JIRA SAML SSO add-on redirect

Cesar Ramirez 16 Reputation points
2020-06-11T20:47:04.337+00:00

Hello,

I was redirected from: https://github.com/MicrosoftDocs/azure-docs/issues/56903

We installed this add-on (https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/jiramicrosoft-tutorial) on our Jira instance (as well as the Confluence equivalent). A majority of the time we don't have any issues, however one of our users has been getting weird behavior with it.

The basics of it is once the user clicks on the Login with Azure AD button, they're redirected to the following url (Note the https at the end) : https://jira.companyname.nethttps

Here's an excerpt from the user and their experience:

----------

I got my "jira.company.nethttps refused to connect." error again
Steps slightly more clear:
I clicked a tab in Chrome that previously was at jira, it went to the login page due to an authentication problem, probably i was idle for 3+hours
it took longer than usual for the Azure/AD login button to show up, but it eventually did
I clicked the LOGIN /W AZURE button, and it took me to that url
Can't reproduce because I'm obviously logged in now, so hitting back takes me to the authenticated page, not the NEEDS authentication page.

----------

In addition to that, another user noticed this on mobile (I don't really expect the add-on to work on mobile, but he was able to reproduce the redirect error 100% of the time):

----------

Might help tracking this issue: Another way to recreate it is when using these JIRA links on a cellphone.
When I click on these JIRA links on a cellphone (and I'm not logged in) ... Logging in using Login with Azure AD reroutes to the bad URL mentioned above. (so far 100% reproducible)

----------

Our current Jira version is: 8.6.1
JIRA SAML SSO Plugin Version : 6.0

Let me know if there's anything else I can provide. Thanks!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,372 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Cesar Ramirez 16 Reputation points
    2020-06-17T17:24:39.757+00:00

    Hello,

    So I installed the recent update, while it looks to have solved the issue. It causing another error that's now not allowing the admin menus for another plugin (Scriptrunner) to load, making it unusable. I have reverted back to an older version of the plugin, allowing my other plugin to load again

    Here's the error I am getting from the console regarding the Microsoft SSO plugin.

    batch.js?agile_global_admin_condition=true&healthcheck-resources=true&jag=true&jaguser=true&locale=en-US:2935 Uncaught ReferenceError: getQueryVariable is not defined
    at HTMLDocument.<anonymous> (batch.js?agile_global_admin_condition=true&healthcheck-resources=true&jag=true&jaguser=true&locale=en-US:2935)
    at c (batch.js?locale=en-US:54)
    at Object.fireWith [as resolveWith] (batch.js?locale=en-US:54)
    at Function.ready (batch.js?locale=en-US:54)
    at HTMLDocument.H (batch.js?locale=en-US:54)

    Which leads to this line:

    /* module-key = 'com.microsoft.MSSsoJiraPlugin:admin-resources1.0.9', location = '/js/JiraSSOLogoutAction.js' */
    AJS.$(function(){var a=getQueryVariable("atl_token");console.log("ServiceDesk url found.....atl_token: "+a);AJS.$(document).ready(function(){setTimeout(function(){if(AJS.$("#log_out").length){var b=getCookie("atlassian.xsrf.token");AJS.$("#log_out").attr("href",AJS.contextPath()+"/plugins/servlet/saml/logout?atl_token="+b)}if(AJS.$(".js-logout").length){console.log("ServiceDesk url found");var b=getCookie("atl_token");if(!b){b=getCookie("atlassian.xsrf.token")}getGlobalLogoutValue(b);AJS.$(".js-logout").unbind("click");AJS.$(".js logout").attr("href",AJS.contextPath()+"/plugins/servlet/saml/logout?atl_token="+b)}},4000)})});function getCookie(d){var b=d+"=";var >f=decodeURIComponent(document.cookie);var a=f.split(";");for(var e=0;e<a.length;e++){var g=a[e];while(g.charAt(0)==" "){g=g.substring(1)}if(g.indexOf(b)==0){return g.substring(b.length,g.length)}}return""}function getGlobalLogoutValue(a){AJS.$.ajax({url:AJS.contextPath()+"/plugins/servlet/saml/getLoginButtonConfFields",type:"GET",success:function(b){if(b!=""){var c=getResponseValueOfForceAzureLogin(b,"isForceAzureLogin");if(c!="on"){AJS.$(".js-logout").bind("click",function(){console.log("User clicked on logout ");AJS.$.ajax({url:AJS.contextPath()+"/servicedesk/customer/user/logout?atl_token="+a,type:"GET",success:function(d){console.log("Succusfully local logout completed");window.location.href=AJS.contextPath()+"/plugins/servlet/saml/logout"},error:function(d,f,e){console.log("Something really bad happened while ServiceDesk logOut "+f)}})})}}},error:function(b,d,c){console.log("Something really bad happened "+d)}})}function getResponseValueOfForceAzureLogin(b,a){console.log("parameterName :"+a);var c=b.split("~");if(a=="isForceAzureLogin"){console.log("isForceAzureLogin :"+c[1]);return c[1]}};

    }catch(e){WRMCB(e)};
    ;

    1 person found this answer helpful.
  2. Jeevan Desarda 91 Reputation points Microsoft Employee
    2020-06-12T17:41:08.717+00:00

    Thanks for reporting the issue.

    Recently we have published the new version of the plugin and with that this Web issue should get resolved.
    I am aware about the Mobile SSO issue. I will confirm with our engineering team on that solution.

    But please update the plugin to the latest version and let us know how that goes.
    https://www.microsoft.com/en-us/download/details.aspx?id=56506

  3. Bartosz N 1 Reputation point
    2020-06-17T15:14:15.42+00:00

    Dear Jeevan.

    I'm facing exact same issue with your most recent version of a plugin (6.0 AKA 1.0.9 - md5sum 7985fded8253d40297e15d1dd8595e8d) with Jira Server ver 8.7.1

    Noticed that the problem is related to os_destination parameter appended to Jira URL before login.

    Example URL that triggers issue - https://jira-instance-1.contoso.com/login.jsp?os_destination=https%3A%2F%2Fjira-instance-1.contoso.com%2Fplugins%2Fservlet%2Fupm&page_caps=&user_role=ADMIN

    Request to jira 

    POST /plugins/servlet/saml/auth HTTP/1.1

    results with 

    Location: https://jira-instance-1.contoso.com/https://jira-instance-1.contoso.com/plugins/servlet/upm

    When using usual login/password form to sign in, redirect goes to proper location 

    Location:  https://jira-instance-1.contoso.com/plugins/servlet/upm

    Additional issue is that if code really works - leads to open redirect vulnerability upon login. I've ended up with (improper at a time) URL 

    https://jira-instance-1.contoso.comhttps//google.com/

    Please keep that in mind while fixing bug.

    0 comments
  4. JamesTran-MSFT 36,351 Reputation points Microsoft Employee
    2020-06-22T16:46:56.397+00:00

    @Cesar Ramirez
    I re-opened your GitHub issue since it'll be easier for @Jeevan Desarda to track on that platform. We will continue to work with our engineering teams and update as needed. Additionally, once we get an answer for your issue on GitHub, I'll re-post here for the community.

    GitHub:
    https://github.com/MicrosoftDocs/azure-docs/issues/56903