FAQ about the SSO for Atlassian Data Center App
Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.
Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
We frequently receive questions about how the SSO for Atlassian Data Center app functions, and handles specific parameters. To help address these concerns, please review the following questions and answers which have been pulled from what our Jira On-Prem Support Team most frequently sees.
| Question | Answer |
|---|---|
| What XML parser is used for parsing XML documents in the SAML authentication response? Please provide information on how Document Type Definition (External entities) are handled by the parser. | The SSO for Atlassian Data Center app utilizes the XML Parser: org.apache.xml.security.parser. External entities are ignored with an error stored in Jira's log file. The entity must match what was entered during initial setup. |
| How is RelayState parameter being used in the SAML flow? | The relaystate is tracked as a GUID-value and included in the SAML HTTP Parameters but not utilized by the SSO for Atlassian Data Center app. Redirects included in the relaystate are also ignored and the os_destination parameter from the Atlassian SP directs users to their destination. |
| For an authentication request sent as part of an SP-initiated SAML flow, what is the length, complexity and entropy of the ID of the Authentication request generated by an SP? | ID is a randomly generated string conforming to the xsd:ID datatype. It contains 160 bits of non-cryptographically strong pseudo-randomness, as suggested by SAML 2.0 core 1.2.3. |
| For an authentication request sent as part of an SP-initiated SAML flow, are you using IssueInstant in the authentication request so that an IdP can use that as a validity window for authentication requests? | The SSO for Atlassian Data Center app does utilize the IssueInstant in the authentication request. Currently, it uses current date (new Date()) for IssueInstant. |
| For an authentication request sent as part of an SP-initiated SAML flow, is the authentication request signed? If yes, what algorithm is used to generate the SAML signature? | The authentication request sent as part of an SP-Initiated SAML Flow are are not signed but we are working on implementing this feature request. You can track our development progress in: SAMLDC-57 - SAML AuthnRequest should be signed |
| For an authentication request sent as part of an SP-initiated SAML flow, is the request sent over a secure connection? | The SSO for Atlassian Data Center app requires the use of HTTPS to secure the authentication request as a part of SP-initiated sessions. The connection is secured using TLS established between parties. |
| What are the SAML conditions that are being validated in an incoming SAML authentication response? | The SSO for Atlassian Data Center app checks that the response details are valid based on the setup and initial request. The issuer is compared to the issuer configured in the app. The app also checks to ensure that the signature is valid. Additionally, it also compares the user and attributes in the response and then matches them against appropriate values within the Atlassian product |
| How do you ensure that the authentication responses received from IdP are for valid and relevant requests? | The SSO for Atlassian Data Center is setup with a specific entity and requests are signed. If the received values are incorrect than the request is denied and event is logged in the Atlassian Application. |
| Do you perform schema validation on the SAML authentication response prior to using its contents? If yes, please specify how it's performed | The SSO for Atlassian Data Center app currently does not perform schema validation on the SAML authentication response prior to using its contents. |
| While validating SAML authentication response signatures, do you use public key from the SAML authentication response or is the key obtained using out-of-band secure means? | The SSO for Atlassian Data Center app uses the public key from te SAML authentication response to validate response signatures. See: SAML Single Sign On for Atlassian Data Center Proucts for additional information. |
| Are the SAML signatures validated when an authentication response is delivered to the Service Provider(SP) to ensure it has not been tampered with? | Yes, the SSO fror Atlassian Data Center app validates signatures when the authentication response is delivered. |
| What attributes are used to limit the scope of the cookie in which session identifier is stored? | Please see the following Knowledge Article to help address this Cookie based question: Jira Application Cookies. Additional Information for other Atlassian Products can be found, here |
| For a web application, how is the session identifier generated? Please specify the size and entropy of the session identifier generated. | Please see the following Knowledge Article to help address this Cookie based question: Jira Application Cookies. Additional Information for other Atlassian Products can be found, here |
| Specify all the instances when the application regenerates the session identifier. Some common examples are - before starting a new session, change of user role, after a successful step-up authentication, and so on. | Please see the following Knowledge Article to help address this Cookie based question: Jira Application Cookies. Additional Information for other Atlassian Products can be found, here |
| What controls are implemented to restrict access to objects of another user or role? Specify the control to restrict the access like randomization of object reference, server-side validation, etc. | Atlassian Products restrict access to Objects of others by utilizing Users and Groups which are validated by the application. |
| When processing API requests, what input validation checks are performed on the server-side? | Please review our Developer Guides and API Documentation for additional information about how each product manages API Requests: Atlassian Developer Start |
Please know that all data is subject to change as we continue to enhance the Atlassian SSO for Data Center plugin. We will do our best to keep this updated as related requests are implemented within the App.
Last modified on May 13, 2024
Powered by Confluence and Scroll Viewport.