Application Links not working behind third party SSO

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Problem

Application links configured on Atlassian Appliactions that run behind a third party SSO application is not working.

If you are trying to link Jira to a Confluence instance, or to another Jira instance, while running behind a third party SSO, Jira initiating the Application link will report errors while trying to setup the application link.

Enabling debug logging on org.apache.http package shows logs similar to below:

[http.conn.ssl.SSLConnectionSocketFactory] Starting handshake
[http.conn.ssl.SSLConnectionSocketFactory] Secure session established
[http.conn.ssl.SSLConnectionSocketFactory]  negotiated protocol: TLSv1.2
[http.conn.ssl.SSLConnectionSocketFactory]  negotiated cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
[http.conn.ssl.SSLConnectionSocketFactory]  peer principal: CN=jira.example.com, OID.2.5.4.72=XXX, T=XXX - XXXXXXX, OU=XXXXXXXXXX, O=XXX
[http.conn.ssl.SSLConnectionSocketFactory]  issuer principal: CN=OOOOOOOO, OU=OOOO, OU=OOOOOOOOOOO, O=OOO
[http.impl.conn.DefaultHttpClientConnectionOperator] Connection established 10.1.1.4:51460<->10.1.1.2:443
[http.impl.conn.DefaultManagedHttpClientConnection] http-outgoing-2276: set socket timeout to 10000
[http.impl.execchain.MainClientExec] Executing request GET /plugins/servlet/oauth/consumer-info HTTP/1.1
[http.impl.execchain.MainClientExec] Target auth state: UNCHALLENGED
[http.impl.execchain.MainClientExec] Proxy auth state: UNCHALLENGED
[org.apache.http.headers] http-outgoing-2276 >> GET /plugins/servlet/oauth/consumer-info HTTP/1.1
[org.apache.http.headers] http-outgoing-2276 >> Accept: application/xml
[org.apache.http.headers] http-outgoing-2276 >> Host: Jira.local
[org.apache.http.headers] http-outgoing-2276 >> Connection: Keep-Alive
[org.apache.http.headers] http-outgoing-2276 >> User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_102)
[org.apache.http.headers] http-outgoing-2276 >> Accept-Encoding: gzip,deflate
[org.apache.http.wire] http-outgoing-2276 >> "GET /plugins/servlet/oauth/consumer-info HTTP/1.1[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 >> "Accept: application/xml[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 >> "Host: jira-cmt.staging.echonet[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 >> "Connection: Keep-Alive[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 >> "User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_102)[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 >> "Accept-Encoding: gzip,deflate[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 >> "[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 << "HTTP/1.1 302 Found[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 << "Date: Tue, 09 Oct 2018 08:31:22 GMT[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 << "Cache-Control: no-store, max-age=86400[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 << "Location: https://ssoapp.local/login_page"
[org.apache.http.wire] http-outgoing-2276 << "Expires: Wed, 10 Oct 2018 08:31:22 GMT[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 << "Content-Length: 437[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 << "Keep-Alive: timeout=10, max=400[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 << "Connection: Keep-Alive[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 << "Content-Type: text/html; charset=iso-8859-1[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 << "[\r][\n]"
[org.apache.http.headers] http-outgoing-2276 << HTTP/1.1 302 Found
[org.apache.http.headers] http-outgoing-2276 << Date: Tue, 09 Oct 2018 08:31:22 GMT
[org.apache.http.headers] http-outgoing-2276 << Cache-Control: no-store, max-age=86400
[org.apache.http.headers] http-outgoing-2276 << Location: https://ssoapp.local/login_page

Diagnosis

Environment

  • Two or more Atlassian applications are to be linked together, eg: Jira and Confluence or Jira to another Jira, etc.

  • At least 1 of the 2 Atlassian applications is integrated with a third party SSO.

Diagnostic Steps

  • Enable debug logging on the package: org.apache.http, and inspect the logs for redirects that are not expected. 


Cause

The SSO third party application will intercept any requests coming to the Atlassian application without a legit identity token, and will redirect that request to the SSO application login page.

This behavior is not expected by the Atlassian application, the applications are not designed to handle the redirect, and will not be able to communicate with the third party SSO application.

Thus the handshake for creating the Application link will fail.

Workaround

There are 2 things we can do to come around this problem:


  • In order to avoid the whole situation, the SSO application needs to be configured to skip intercepting certain URLs that are used for application links functionality; that is to white list those URLs from the SSO application side.


    • This will ensure that the Atlassian application starting the Application Link handshake; doesn’t get an unexpected redirect.

    • Below is the list of URLs to be white listed:

      /plugins/servlet/oauth/access-token
      /plugins/servlet/oauth/request-token 
      /plugins/servlet/oauth/consumer-info 
      /plugins/servlet/streams 
      /plugins/servlet/applinks/whoami 
      /sr/jira.issueviews:searchrequest 
      /secure/RunPortlet 
      /rest 
      /rpc/soap 
      /download/resources/com.duosecurity.jira.plugins.duo-twofactor:resources/ 
      /download/resources/com.duosecurity.confluence.plugins.duo-twofactor:resources/ 
      /rest/gadget/1.0/login 
      /rpc/xmlrpc
      /pages
      /display

      Please note that, this will mean that any access to those URLs will not go through the SSO application.

  • Another way is also to white list all the Atlassian application(s) server IP addresses on the SSO application side, this way only requests between applications will not go through SSO, while all other external requests will pass through the SSO application.



DescriptionJira Application links to Atlassian applications configured to use a third party Single sign on (SSO) is not working
ProductJira Core

Last modified on May 8, 2023

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.