...
The client secret for you OIDC integration is expired.
You accidentally copy/pasted in the wrong value. E.g. Microsoft Entra ID /Azure AD offers a secret ID field which is often confused with the client secret itself
...
SAML
Which Identity Providers do you support?
We have made step-by-step instructions for the most common IDPs. If you IDP is not listed, then choose "Any other SAML / OIDC provider" in the setup wizard.
If you want to add a vote for your IDP to be added to the setup wizard, don't hesitate to reach out to us.
Do we need to make any file system changes to offer SAML or OIDC to mobile devices or JIRA Service Desk?
No, there is no need to make file system changes. Installing Kantega Single Sign-on will give you SSO to both JIRA and JIRA Service Desk. There is a switch to disable SAML/OIDC login for JSD on the “Redirect modes” page.
What is “known domains”?
The Known domains feature is both for increasing security and it enables the plugin to redirect the user to the correct IDP.
Let us say you have a user mark.miller@example.com. If example.com is a known domain to one IDP, we can redirect the user to that IDP.
If example.com is a known domain for two or more IDP, the user must choose. Remember to select a good name for your IDP.
If known domains is set to "Trust identity provider to log in users from any domain", potentially, the IDP can authenticate users from another domain.
What is “hosted domain”?
Hosted domain (hd) is a parameter that is sent to the IDP as a hint for which domain the user should log in with. You can enable this functionality in the Known Domains tab. This is not a security feature as it does not prevent logging in with another domain, however, it provides an increased user experience with providers supporting this feature.
Can we add multiple Identity Providers?
Yes, add as many as you like and combine SAML and OIDC if you like!
By adjusting modes under “Redirect rules” under each provider, you may prioritize when each should trigger.
Is logging in with mobile devices supported?
Yes, JIRA Mobile and Confluence Mobile clients are offered SAML and OIDC login.
Do you support SAML and OIDC for the JIRA Service Desk?
Yes, both JIRA Service Desk agents and customers are offered SAML and OIDC login. You may disable SAML and OIDC login for JSD users if you like.
How can I solve getting a 'BeanInstantiationException: Failed to instantiate [org.kantega.atlaskerb.saml.SamlConfManager]' during startup when using AppDynamics or Prometheus?
When using the AppDynamics agent or Prometheus, the Kantega SSO may fail to enable with a BeanInstantiationException, frequently with internal cause org.w3c.dom.ls.LSException: An unsupported encoding is encountered.
We have reports of customers successfully resolving this by adding the following parameters to the startup script:
| Code Block |
|---|
-Datlassian.org.osgi.framework.bootdelegation=META-INF.services,com.yourkit,com.singularity.*,com.jprofiler,com.jprofiler.*,org.apache.xerces,org.apache.xerces.*,org.apache.xalan,org.apache.xalan.*,sun.*,com.sun.jndi,com.icl.saxon,com.icl.saxon.*,javax.servlet,javax.servlet.*,com.sun.xml.*,org.apache.xml.serializer,net.shibboleth.utilities.*,org.opensaml.core.* |
Can I use "Edit in Office" (WebDav) in combination with SAML or OIDC for my Confluence 6.11.x and newer?
Yes, in newer versions starting from Confluence 6.11.x you may use the Atlassian Companion app to edit your Office files also when you log in using SAML or OIDC.
Can I use "Edit in Office" (WebDav) in combination with SAML or OIDC for my Confluence 6.10.x and older?
...
Why do I get the error code SUBJECT_CONFIRMATION_DATA_UNEXPECTED_IN_RESPONSE_TO?
When a user is redirected from an Atlassian Data Center instance to the identity provider for authentication, the redirect includes a unique authentication request ID. When the IDP later returns the user to the Atlassian Data Center, the SAML Response from the IDP must contain an inResponseTo attribute with the same ID. If the addon receives a SAML Response with an unknown responseTo ID, you will see that error message.
It can happen for a number of reasons:
The user spent too long at the IDP, (> 30 minutes) so the ID is no longer recognized by the time the user returns with a SAML Response. The most common cause of this is open browser windows from the previous work day etc.
VPN: if the users are connecting to your Data Center through a saturated VPN, you may
Replay: An ID can only be used once. If a user reloads certain login pages, the same SAML Response can end up being POST’ed again. The ID will have been removed and is no longer usable, generating that error.
Data Center specific: Clustering problems. The ID is stored in a distributed cache (atlassian-cache). This ensures that if the user returns to a different node than the one that initiated login, login can still continue successfully. Usually though, sticky sessions ensure users return to the server they started on.
If you have load balancing problems and cannot achieve sticky sessions, then you may encounter this error. You may also see users experiencing login loops.
Environment
Which Identity Providers do you support?
We have made step-by-step instructions for the most common IDPs. If you IDP is not listed, then choose "Any other SAML / OIDC provider" in the setup wizard.
If you want to add a vote for your IDP to be added to the setup wizard, don't hesitate to reach out to us.
Do we need to make any file system changes to offer SAML or OIDC to mobile devices or JIRA Service Desk?
No, there is no need to make file system changes. Installing Kantega Single Sign-on will give you SSO to both JIRA and JIRA Service Desk. There is a switch to disable SAML/OIDC login for JSD on the “Redirect modes” page.
What is “known domains”?
The Known domains feature is both for increasing security and it enables the plugin to redirect the user to the correct IDP.
Let us say you have a user mark.miller@example.com. If example.com is a known domain to one IDP, we can redirect the user to that IDP.
If example.com is a known domain for two or more IDP, the user must choose. Remember to select a good name for your IDP.
If known domains is set to "Trust identity provider to log in users from any domain", potentially, the IDP can authenticate users from another domain.
What is “hosted domain”?
Hosted domain (hd) is a parameter that is sent to the IDP as a hint for which domain the user should log in with. You can enable this functionality in the Known Domains tab. This is not a security feature as it does not prevent logging in with another domain, however, it provides an increased user experience with providers supporting this feature.
Can we add multiple Identity Providers?
Yes, add as many as you like and combine SAML and OIDC if you like!
By adjusting modes under “Redirect rules” under each provider, you may prioritize when each should trigger.
Is logging in with mobile devices supported?
Yes, JIRA Mobile and Confluence Mobile clients are offered SAML and OIDC login.
Do you support SAML and OIDC for the JIRA Service Desk?
Yes, both JIRA Service Desk agents and customers are offered SAML and OIDC login. You may disable SAML and OIDC login for JSD users if you like.
How can I solve getting a 'BeanInstantiationException: Failed to instantiate [org.kantega.atlaskerb.saml.SamlConfManager]' during startup when using AppDynamics or Prometheus?
When using the AppDynamics agent or Prometheus, the Kantega SSO may fail to enable with a BeanInstantiationException, frequently with internal cause org.w3c.dom.ls.LSException: An unsupported encoding is encountered.
We have reports of customers successfully resolving this by adding the following parameters to the startup script:
| Code Block |
|---|
-Datlassian.org.osgi.framework.bootdelegation=META-INF.services,com.yourkit,com.singularity.*,com.jprofiler,com.jprofiler.*,org.apache.xerces,org.apache.xerces.*,org.apache.xalan,org.apache.xalan.*,sun.*,com.sun.jndi,com.icl.saxon,com.icl.saxon.*,javax.servlet,javax.servlet.*,com.sun.xml.*,org.apache.xml.serializer,net.shibboleth.utilities.*,org.opensaml.core.* |
Can I use "Edit in Office" (WebDav) in combination with SAML or OIDC for my Confluence 6.11.x and newer?
Yes, in newer versions starting from Confluence 6.11.x you may use the Atlassian Companion app to edit your Office files also when you log in using SAML or OIDC.
Can I use "Edit in Office" (WebDav) in combination with SAML or OIDC for my Confluence 6.10.x and older?
No, the WebDav technology does not support these technologies. If you are using SAML or OIDC for login into Confluence and want to edit a Word, Excel or PowerPoint document: Please download the document, edit it and then upload it again.
...
If the request returning from the IDP back to /plugins/servlet/no.kantega.saml/sp/{idp-id}/login is visible in the Tomcat catalina.out log, but does not reach the application itself (Jira, Confluence, Bitbucket, Bamboo), since only Tomcat logs the request but not the host app or Kantega SSO plugin logs, then the issue is most likely another filter installed in Tomcat with configuration in web.xml file.
An example of a filter that may stop a request is CORS filter like org.apache.catalina.filters.CorsFilter
Related article on configuration of CorsFilter with Confluence can be found here:
https://jira.atlassian.com/browse/CONFSERVER-41269
Tomcat documentation:
https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#CORS_Filter installed in Tomcat with configuration in web.xml file.
An example of a filter that may stop a request is CORS filter like org.apache.catalina.filters.CorsFilter
Related article on configuration of CorsFilter with Confluence can be found here:
https://jira.atlassian.com/browse/CONFSERVER-41269
Tomcat documentation:
https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#CORS_Filter
What to do if you get an AWS-related session problem?
We sometimes see that AWS load balancer, when used in front of a multi-node cluster (of Confluence, Jira et al.), has problems retaining session stickiness. It seems to improve stability of a clustered setup by enabling application stickiness in AWS load balancer configured to the cookie used in your application (by default cookie is named JSESSIONID). See more about this here: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/sticky-sessions.html#application-based-stickiness.
Tycical symptoms for this problem can be:
login loops
login session suddenly dropping
AWS cookie
AWSALBsuddenly changing causing node change for browser which again typcally causes login session to drop (user gets logged out)
API Tokens
User accounts gets locked out when API tokens gets invalidated or expires. How can I prevent this from happening?
...