Can't log in to Jira mobile app with SSO/AD FS due to Windows Integrated Authentication misconfiguration

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.

Problem

The app either throws an error or shows a blank page when user tries to log in via SSO/AD FS

This problem affects both the Jira and Confluence Server and Data Center mobile apps. 

Cause

As per the KB article from Microsoft:

By default, Windows Integrated Authentication (WIA) is enabled in Active Directory Federation Services (AD FS) in Windows Server for authentication requests that occur within the organization's internal network (intranet) for any application that uses a browser for its authentication.

We don’t support Windows Integrated Authentication yet, but it is still being used by your server because the app’s User-Agent header matches the user-agent components defined in your server’s WIASupportedUserAgentStrings setting.

For both iOS and Android we compose the User-Agent header value by concatenating the standard WebView User-Agent and unique app identifier. 

User-Agent format examples...

iOS User-Agent

Format
Mozilla/5.0 (<system-information>) <platform> (<platform-details>) Safari/<technical-version> AtlassianMobileApp
Example
Mozilla/5.0 (iPhone; CPU iPhone OS 14_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Safari/604.1 AtlassianMobileApp

Android User-Agent

Format
Mozilla/5.0 (<system-information>) <platform> (<platform-details>) AtlassianMobileApp
Example
Mozilla/5.0 (Linux; Android 9; Mi A1 Build/PKQ1.180917.001) AppleWebKit/537.36 (KHTML, like Gecko) AtlassianMobileApp

Resolution

This resolution requires your users to be running the following app versions:

  • Confluence Server and Data Center app v 1.24 and later (iOS) and v 0.14 (Android)
  • Jira Server and Data Center app v 1.27 and later (iOS) and v 0.21.6 (Android)

To resolve this issue you will need to exclude the User-Agent from WIASupportedUserAgents. See Configuring intranet forms-based authentication for devices that do not support WIA in the Microsoft documentation to find out how to do this

For instance, if you have “Mozilla/5” listed in your WIA user-agent string components subset you might consider using a regex match feature (available in Windows Server 2016 or later) to enable WIA for anything but AtlassianMobileApp.

=~^(?!.*AtlassianMobileApp)Mozilla\/5.*

Alternatively, you can also achieve the same result by replacing the broad-level “Mozilla/5” component with the narrowed ones:

  • Mozilla/5.0 (Macintosh

  • Mozilla/5.0 (Windows

This way only requests coming from Windows or macOS will be redirected to WIA. The mobile apps won’t go through WIA.

Not an admin? Send this page to your administrator and ask them to investigate the issue for you.

Description

Can't log in to Jira mobile app with SSO/AD FS due to Windows Integrated Authentication misconfiguration

ProductJira
Last modified on Aug 20, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.