Bug in KSSO version 6.7.0: OIDC Just-in-time provisioning

Subscribe to our security and critical updates mailing list if you want to receive updates about announcements like this on email.

Date published	2023-02-23

Date published	2023-02-23
Summary	A bug in version Kantega SSO Enterprise version 6.7.0 breaks login when using OIDC and JIT provisioning
Affected apps	Kantega SAML SSO OIDC Kerberos Single Sign-on for Jira Kantega SAML SSO OIDC Kerberos Single Sign-on for Confluence Kantega SAML SSO OIDC Kerberos Single Sign-on for Bitbucket Kantega SAML SSO OIDC Kerberos Single Sign-on for Bamboo
Affected version	Kantega SSO Enterprise version 6.7.0
Affected product feature	Identity Providers > OIDC

We have received reports that a bug has been found in the OpenID Connect login in version 6.7.0. This leads to a broken login when running just-in-time user provisioning. Downgrade is recommended until an update is published.

Details

Because of an error parsing of attributes in the ID token with the new feature in 6.7.0, any non-username attributes like email and groups and other data are exempt from the data that is parsed in the login process, thereby breaking just-in-time user provisioning and group assignments since this data is lost along the way.

This will in some cases lead to a broken login, and users will not be able to log into the respective Atlassian system. So far it seems like this bug only affects installations that are running just-in-time user provisioning in their OIDC setup.

Version 6.7.0. has been withdrawn from the marketplace. Please downgrade to the previous version (6.6.3), and await a patch to be released in version 6.7.1. If you have trouble downgrading or get errors in the manage apps section, please see this process on how to downgrade to a stable version: https://kantega-sso.atlassian.net/wiki/spaces/KSE/pages/1099300916

Downloads for previous stable version

Jira

Confluence

Bitbucket

Bamboo