Bypass SAML authentication for Jira Data Center

Still need help?

The Atlassian Community is here for you.

Ask the community

Purpose

It's possible to bypass SAML authentication if the product is configured to allow bypassing and a special query parameter is provided - auth_fallback

The URL to display the login page is: <BASE_URL>/login.jsp?auth_fallback but the admin needs to enable authentication fallback first. 

The parameter works only on the Jira Core/Software login page URL and is useful for troubleshooting SAML issues. If the application is configured to allow bypassing SAML authentication, then the user will end up on the regular login page. If the configuration does not allow for using auth_fallback, then the regular SAML flow will be initiated. (warning) The auth_fallback parameter is not intended to be appended to the end of the Service Management portal login page (servicedesk/customer/user/login?destination=portals&auth_fallback). In this case, use the Jira login.jsp page, and the user will be redirected to Service Management as configuration allows. 

Solution A. Enable auth_fallback via the REST API

In order to make use of the auth_fallback functionality, the allow-redirect-override or, depending on your plugin version/Jira version allow-saml-redirect-override flag needs to be enabled via REST API.

Using curl

For SSO for Atlassian Server and Data Center 4.2.0 and newer

curl -vvv -k -L -u admin_username -X PATCH <Jira-Base-URL>/rest/authconfig/1.0/sso \
    -H 'Content-Type: application/json'\
    -d '{"enable-authentication-fallback": true}'

For SSO for Atlassian Server and Data Center v4 and newer (By default in Jira DC 8.6 and newer)

curl -vvv -XPUT <BASE_URL>/rest/authconfig/1.0/sso -H 'Content-Type: application/json' -d '{"allow-redirect-override": true}' -u admin_username

For SSO for Atlassian Server and Data Center v3 and older (By default in Jira DC 8.5 and older)

curl -vvv -XPUT <BASE_URL>/rest/authconfig/1.0/saml -H 'Content-Type: application/json' -d '{"allow-saml-redirect-override": true}' -u admin_username

Using REST client with a GUI such as Postman

  1. Download Postman for your browser (or use your own if you have an alternate REST client)
  2. Open Postman
  3. Select GET from the dropdown menu and select Basic Auth from the Authorization tab (enter the admin credentials)
  4. Enter the following URL, modified for your environment and SSO for Atlassian Serverand Data Center app version:

This should return something like the following after clicking SEND:

{
  "sso-url": "https://dev-486166.oktapreview.com/app/jeancodev486166_jiradc_1/exk9awjfupbFE8VQp0h7/sso/saml",
  "sso-issuer": "http://www.okta.com/exk9awjfupbFE8VQp0h7",
  "certificate": "MIIDpDCCAoygAwIBAgIGAVl1oNWbMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00ODYxNjYxHDAaBgkqhkiG9w0BCQEW\nDWluZm9Ab2t0YS5jb20wHhcNMTcwMTA2MjExMjExWhcNMjcwMTA2MjExMzExWjCBkjELMAkGA1UE\nBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV\nBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDg2MTY2MRwwGgYJ\nKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\nn5+MbxEb0rRA5kDBxVvzNRO3otJS7UMB3ldTEqivmieXvkXiSLjVYQJr7gbg+OYAX12V35HmrIs6\nRiT/d4trsePI09hRjQD2eMXsd11v1eKmoyAbsV026LZTHoVpXZQyeK383chJLEp2G6lRVdA/uFpP\nj5OCSiB5jVhEdRXymbfeESecMbh5YJu9H025sDBiqyzDHmZXunPdmJ0fyFpY9Q98bMfi7KUICHff\nlncSYQRDYax17wTO/2Nu4akWVESiBaedBlXAKuEOoB26ysxbQiUATOJTKodiGydyxLAlk2DV+Uzz\nDAeN8mQw7y4MArrSDqTWnTbtg3SJl6e0Ho/CGQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBNy/LR\nG85t3nuk4bnh2XRWtOXlSKtq6fVMAtJ4kd8vxB8M8DyFWDIaoXTd35COs1p2LX176hdBKjgau8Ux\nNUOJ3MIOw8qQAwFWguBHFWYhrcgDCVtCvz3wLIBRZehW/tX2ah+M8ATsn8oLPHaL2W11Z0JOiEcV\nIdAu6CyR1iDcVjCT7DV3h8aUWaLjfnfcJasEqiTEs2DH1d8E+GdW/lWaGiAdVlnxmxv5rvkwFxvZ\nDJyk2VPxZmFVdK16cUbPgnk5Bge7wnNaQZOUBmUZKAKmzeA+22lhKPpv8IGTIwEpcoUHggAdhvrT\nHfcvAs4OyFQgeaBA5//UjZVa/MfAFmqP",
  "user-attribute": null,
  "allow-saml-redirect-override": false,
  "include-customer-logins": false,
  "redirect-on-login": false,
  "enable-remember-me": false
}

We will need to update the allow-redirect-override or allow-saml-redirect-override field to true

  1. To do this, open a new tab in Postman
  2. Select PUT from the dropdown and enter the URL:
  3. Select Basic Auth from the Authorization tab and enter the credentials for the admin account
  4. Go to the Body tab, select Raw from the radio button. Select JSON from the dropdown menu.

Use the results from the command as reference to set allow-redirect-override or allow-saml-redirect-override set to true:

{
  "allow-saml-redirect-override": true
}


You should get a 200 or 304 status when pressing the Send button and you will now be able to access <BASE_URL>/login.jsp?auth_fallback to bypass SAML. It's important to remember to set the flag back to false once the maintenance has been completed in order to restore the intended behavior. 


(warning) If the CURL command fails with an error 'Closing connection 0curl: (60) SSL certificate problem: unable to get local issuer certificate', you will need to run the CURL with the -k option to ignore the certificate: 

curl -vvv -XPUT -k <BASE_URL>/rest/authconfig/1.0/saml -H 'Content-Type: application/json' -d '{"allow-saml-redirect-override": true}' -u admin_username

Solution B. to Enable auth_fallback via the DB


If you're unable to access the above URL there is a database workaround, this has been tested in both Postgres and MySQL, please make sure when utilizing database workarounds that there is a viable backup of the database.

The following is a direct manipulation to enable the auth_fallback flag manually. This will require a restart of Jira as well.


  1. Stop Jira
  2. Run the following query to determine the ID to update in the database

    select propertyentry.id from propertyentry join propertystring on propertyentry.id=propertystring.id where property_key='com.atlassian.plugins.authentication.samlconfig.allow-saml-override';
  3. If the query above does not return any value, please run this query:
select propertyentry.id from propertyentry join propertystring on propertyentry.id=propertystring.id where property_key='com.atlassian.plugins.authentication.sso.config.allow-redirect-override';

One of the queries above should return an ID like so:

  id  
-------
 17074
(1 row)

Now Let's use that ID to update allow the auth_fallback URL:

Take the ID and insert it into the following query:

update propertystring set propertyvalue = 'true' where id=17074;

(warning) NOTE: The ID is 17074 in this example your ID will vary depending on the results of the first query we ran. 

  1. Start Jira
  2. You should now be able to access <BASE_URL>/login.jsp?auth_fallback  (replace or remove the 'contextPath' as it relates to your instance)

Last modified on Apr 30, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.