Subscribe to our security and critical updates mailing list if you want to receive updates about announcements like this on email.
Date published | 2023-02-23 |
|---|---|
Summary | A bug in version Kantega SSO Enterprise version 6.7.0 breaks login when using OIDC and JIT provisioning |
Affected apps | Kantega SAML SSO OIDC Kerberos Single Sign-on for Jira |
Affected version | |
Affected product feature | Identity Providers > OIDC |
Ongoing incident: We have received reports that a bug has been found in the OpenID Connect login in version 6.7.0. This leads to a broken login when running just-in-time user provisioning. Downgrade is recommended until an update is published.
Details
Because of an error parsing of attributes in the ID token with the new feature in 6.7.0, any non-username attributes like email and groups and other data are exempt from the data that is parsed in the login process, thereby breaking just-in-time user provisioning and group assignments since this data is lost along the way.
This will in some cases lead to a broken login, and users will not be able to log into the respective Atlassian system. So far it seems like this bug only affects installations that are running just-in-time user provisioning in their OIDC setup.
Version 6.7.0. has been withdrawn from the marketplace. Please downgrade to the previous version (6.6.3), and await a patch to be released in version 6.7.1. If you have trouble downgrading or get errors in the manage apps section, please see this process on how to downgrade to a stable version: Reverting Kantega SSO Enterprise to a stable version
Downloads for previous stable version
Jira
Download Kantega SAML SSO OIDC Kerberos Single Sign-on 6.6.3 for Jira Data Center
Download Kantega SAML SSO OIDC Kerberos Single Sign-on 6.6.3 for Jira Server
Confluence
Download Kantega SAML SSO OIDC Kerberos Single Sign-on 6.6.3 for Confluence Data Center
Download Kantega SAML SSO OIDC Kerberos Single Sign-on 6.6.3 for Confluence Server
Bitbucket
Bamboo