Forced SSO and MFA

These settings apply to SAML, OpenID Connect, and Windows Integrated Authentication (Kerberos) and are found under the “Common” menu.

Disable traditional username/password login

Kantega Single Sign-on does not prevent the usage of traditional username/password login by default. Any user can cancel SSO and log in manually, provided they are provisioned in a way that gives them passwords in the first place. This can sometimes be undesirable, for example, when users are provisioned through AD/LDAP where passwords are available - but the organization wishes to require the use of 2FA or SmartCard.

To disable traditional username/password login, go into the Kantega SSO configuration page. Under Common > Disable traditional login, you find a toggle box to enforce SSO.

By disabling username and password login, the username and password fields will be removed from login pages, making it impossible for users to authenticate through the standard login forms.

There is also a toggle box for disabling BasicAuth API requests. With this disabled, integrations you have must use OAuth.

If traditional login is disabled, you will no longer let you log in to an administrator account using username and password. Even so, retaining an admin account and password in the Internal directory is highly recommended as a backup in case you need to restore SSO functionality. If necessary, you may re-enable password login by deleting the following file on your Atlassian product server:

1 <atlassian_home_folder>/kerberos/disable_username_password_login.txt

It takes up to one minute for change to take effect if you disable it by removing the file and on other cluster nodes if applicable.

Please note that only the standard login forms are disabled, not the core password/directory system. Username and password login may still be usable through third-party plugins/applications if they run their own password validation.

Forced SSO URLs

Kantega Single Sign-on will, by default, only authenticate users where your Atlassian product would otherwise require them to log in with a username and password.

By activating Forced SSO URLs, users may be logged in also on pages that normally do not require this.

You find a form specifying forced SSO URLs under Common > Forced SSO URLs.