question

CesarRamirez-7875 avatar image
CesarRamirez-7875 asked ·

Issues with JIRA SAML SSO add-on redirect

Hello,

I was redirected from: https://github.com/MicrosoftDocs/azure-docs/issues/56903

We installed this add-on (https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/jiramicrosoft-tutorial) on our Jira instance (as well as the Confluence equivalent). A majority of the time we don't have any issues, however one of our users has been getting weird behavior with it.

The basics of it is once the user clicks on the Login with Azure AD button, they're redirected to the following url (Note the https at the end) : https://jira.companyname.nethttps

Here's an excerpt from the user and their experience:





I got my "jira.company.nethttps refused to connect." error again
Steps slightly more clear:
I clicked a tab in Chrome that previously was at jira, it went to the login page due to an authentication problem, probably i was idle for 3+hours
it took longer than usual for the Azure/AD login button to show up, but it eventually did
I clicked the LOGIN /W AZURE button, and it took me to that url
Can't reproduce because I'm obviously logged in now, so hitting back takes me to the authenticated page, not the NEEDS authentication page.





In addition to that, another user noticed this on mobile (I don't really expect the add-on to work on mobile, but he was able to reproduce the redirect error 100% of the time):





Might help tracking this issue: Another way to recreate it is when using these JIRA links on a cellphone.
When I click on these JIRA links on a cellphone (and I'm not logged in) ... Logging in using Login with Azure AD reroutes to the bad URL mentioned above. (so far 100% reproducible)





Our current Jira version is: 8.6.1
JIRA SAML SSO Plugin Version : 6.0

Let me know if there's anything else I can provide. Thanks!



azure-ad-single-sign-on
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JeevanDesarda-0592 avatar image
JeevanDesarda-0592 answered ·

Thanks for reporting the issue.

Recently we have published the new version of the plugin and with that this Web issue should get resolved.
I am aware about the Mobile SSO issue. I will confirm with our engineering team on that solution.

But please update the plugin to the latest version and let us know how that goes.
https://www.microsoft.com/en-us/download/details.aspx?id=56506

3 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@CesarRamirez-7875

I just wanted to check in and see if the above post helped answer your question or if you had any other questions.

Thank you for your time!



Please let us know if any of these answers helped resolve your question. If so, please remember to "mark as answer" so that others in the community facing similar issues can easily find a solution.

0 Votes 0 · ·

I was unable to submit my new error in a reply, please see my latest post to this question.

0 Votes 0 · ·

@CesarRamirez-7875
Thank you for the details below, along with the error message.


@JeevanDesarda-0592
Per your previous post, I looks like you were following up with our engineering team. Did you ever receive a follow up from them? If require my assistance, please let me know how I can help.


Thank you!

0 Votes 0 · ·
BartoszN-3235 avatar image
BartoszN-3235 answered ·

Dear Jeevan.

I'm facing exact same issue with your most recent version of a plugin (6.0 AKA 1.0.9 - md5sum 7985fded8253d40297e15d1dd8595e8d) with Jira Server ver 8.7.1

Noticed that the problem is related to os_destination parameter appended to Jira URL before login.

Example URL that triggers issue - https://jira-instance-1.contoso.com/login.jsp?os_destination=https%3A%2F%2Fjira-instance-1.contoso.com%2Fplugins%2Fservlet%2Fupm&page_caps=&user_role=ADMIN

Request to jira

 POST /plugins/servlet/saml/auth HTTP/1.1

results with

 Location: https://jira-instance-1.contoso.com/https://jira-instance-1.contoso.com/plugins/servlet/upm

When using usual login/password form to sign in, redirect goes to proper location

 Location:  https://jira-instance-1.contoso.com/plugins/servlet/upm


Additional issue is that if code really works - leads to open redirect vulnerability upon login. I've ended up with (improper at a time) URL

 https://jira-instance-1.contoso.comhttps//google.com/


Please keep that in mind while fixing bug.


Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CesarRamirez-7875 avatar image
CesarRamirez-7875 answered ·

Hello,

So I installed the recent update, while it looks to have solved the issue. It causing another error that's now not allowing the admin menus for another plugin (Scriptrunner) to load, making it unusable. I have reverted back to an older version of the plugin, allowing my other plugin to load again

Here's the error I am getting from the console regarding the Microsoft SSO plugin.

batch.js?agile_global_admin_condition=true&healthcheck-resources=true&jag=true&jaguser=true&locale=en-US:2935 Uncaught ReferenceError: getQueryVariable is not defined
at HTMLDocument.<anonymous> (batch.js?agile_global_admin_condition=true&healthcheck-resources=true&jag=true&jaguser=true&locale=en-US:2935)
at c (batch.js?locale=en-US:54)
at Object.fireWith [as resolveWith] (batch.js?locale=en-US:54)
at Function.ready (batch.js?locale=en-US:54)
at HTMLDocument.H (batch.js?locale=en-US:54)


Which leads to this line:

/ module-key = 'com.microsoft.MSSsoJiraPlugin:admin-resources1.0.9', location = '/js/JiraSSOLogoutAction.js' /
AJS.$(function(){var a=getQueryVariable("atl_token");console.log("ServiceDesk url found.....atl_token: "+a);AJS.$(document).ready(function(){setTimeout(function(){if(AJS.$("#log_out").length){var b=getCookie("atlassian.xsrf.token");AJS.$("#log_out").attr("href",AJS.contextPath()+"/plugins/servlet/saml/logout?atl_token="+b)}if(AJS.$(".js-logout").length){console.log("ServiceDesk url found");var b=getCookie("atl_token");if(!b){b=getCookie("atlassian.xsrf.token")}getGlobalLogoutValue(b);AJS.$(".js-logout").unbind("click");AJS.$(".js logout").attr("href",AJS.contextPath()+"/plugins/servlet/saml/logout?atl_token="+b)}},4000)})});function getCookie(d){var b=d+"=";var >f=decodeURIComponent(document.cookie);var a=f.split(";");for(var e=0;e<a.length;e++){var g=a[e];while(g.charAt(0)==" "){g=g.substring(1)}if(g.indexOf(b)==0){return g.substring(b.length,g.length)}}return""}function getGlobalLogoutValue(a){AJS.$.ajax({url:AJS.contextPath()+"/plugins/servlet/saml/getLoginButtonConfFields",type:"GET",success:function(b){if(b!=""){var c=getResponseValueOfForceAzureLogin(b,"isForceAzureLogin");if(c!="on"){AJS.$(".js-logout").bind("click",function(){console.log("User clicked on logout ");AJS.$.ajax({url:AJS.contextPath()+"/servicedesk/customer/user/logout?atl_token="+a,type:"GET",success:function(d){console.log("Succusfully local logout completed");window.location.href=AJS.contextPath()+"/plugins/servlet/saml/logout"},error:function(d,f,e){console.log("Something really bad happened while ServiceDesk logOut "+f)}})})}}},error:function(b,d,c){console.log("Something really bad happened "+d)}})}function getResponseValueOfForceAzureLogin(b,a){console.log("parameterName :"+a);var c=b.split("~");if(a=="isForceAzureLogin"){console.log("isForceAzureLogin :"+c[1]);return c[1]}};

}catch(e){WRMCB(e)};
;
5 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello CesarRamirez-7875*


I also had the same issue, where as i am not able to revert to the older version, everytime i install the older one it is populating the latest version and issue persists, if possible can you share a link of the OBR file which was working fine for you??

Thanks

0 Votes 0 · ·
CesarRamirez-7875 avatar image CesarRamirez-7875 KoradaVenkatesh-9747 ·

Hey KoradaVenkatesh-9747,

Unfortunately I had an older OBR file that was saved on our network, I'm unable to find a link for it. You can try completely uninstalling the plugin first on Jira first from the front end, and then shut down Jira and try clearing the plugin-cache (https://tempo-io.atlassian.net/wiki/spaces/KB/pages/228982790/How+to+reset+plugins+cache+in+JIRA) and hopefully you can revert back to the old one.

1 Vote 1 · ·

Hello CesarRamirez-7875,

I have tried the suggested one and no luck.

We had setup the environment recently and earlier i used the version of 6.0(displayed on JIRA ) and if we install the 1.0.6 it is showing as 1.0.9 and even i tried extracting the .jar to install but no luck :( .


0 Votes 0 · ·

we also face the exact same problem after installing the Microsoft Jira SSO plug-in 1.0.6 (6.2MB)

Until the issue resolved, i want to install the older version. Do you have link older version?

0 Votes 0 · ·
KoradaVenkatesh-9747 avatar image KoradaVenkatesh-9747 SethumadhavanKandavel-3842 ·

No, Even i am looking for an older version OBR, will update you if i find any source

0 Votes 0 · ·
JamesTran-MSFT avatar image
JamesTran-MSFT answered ·

@CesarRamirez-7875
I re-opened your GitHub issue since it'll be easier for @JeevanDesarda-0592 to track on that platform. We will continue to work with our engineering teams and update as needed. Additionally, once we get an answer for your issue on GitHub, I'll re-post here for the community.


GitHub:
https://github.com/MicrosoftDocs/azure-docs/issues/56903

3 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesTran-MSFT: Can you share me the link for older version where both the plugin's can work on simultaneously, though it have redirection issues,

Looking forward to hear from you.



--Venkatesh K

0 Votes 0 · ·
JamesTran-MSFT avatar image JamesTran-MSFT KoradaVenkatesh-9747 ·

@KoradaVenkatesh-9747
Looking through the download center, I wasn't able to find the older version or even other versions available for download. However, on Atlassian's website, I was able to find an archive section for Jira Server Downloads, which might help with what you're looking for.


I'll also reach out to @JeevanDesarda-0592, to see if we have any updates regarding this GitHub issue.
Thank you for your time!

0 Votes 0 · ·

Thanks for the try, i have already checked atlassian jira server downloads, which doesn't have the archive's of the MS plug-in.


--Venkatesh K

0 Votes 0 · ·