Can't log in to Jira mobile app with SSO/AD FS due to Windows Integrated Authentication misconfiguration
Platform Notice: Server and Data Center Only. This article only applies to Atlassian products on the server and data center platforms.
The app either throws an error or shows a blank page when user tries to log in via SSO/AD FS.
This problem affects both the Jira and Confluence Server and Data Center mobile apps.
As per the KB article from Microsoft:
By default, Windows Integrated Authentication (WIA) is enabled in Active Directory Federation Services (AD FS) in Windows Server for authentication requests that occur within the organization's internal network (intranet) for any application that uses a browser for its authentication.
We don’t support Windows Integrated Authentication yet, but it is still being used by your server because the app’s User-Agent header matches the user-agent components defined in your server’s WIASupportedUserAgentStrings setting.
For both iOS and Android we compose the User-Agent header value by concatenating the standard WebView User-Agent and unique app identifier.
Mozilla/5.0 (<system-information>) <platform> (<platform-details>) Safari/<technical-version> AtlassianMobileApp
Mozilla/5.0 (iPhone; CPU iPhone OS 14_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Safari/604.1 AtlassianMobileApp
Mozilla/5.0 (<system-information>) <platform> (<platform-details>) AtlassianMobileApp
Mozilla/5.0 (Linux; Android 9; Mi A1 Build/PKQ1.180917.001) AppleWebKit/537.36 (KHTML, like Gecko) AtlassianMobileApp
This resolution requires your users to be running the following app versions:
- Confluence Server and Data Center app v 1.24 and later (iOS) and v 0.14 (Android)
- Jira Server and Data Center app v 1.27 and later (iOS) and v 0.21.6 (Android)
To resolve this issue you will need to exclude the User-Agent from WIASupportedUserAgents. See Configuring intranet forms-based authentication for devices that do not support WIA in the Microsoft documentation to find out how to do this
For instance, if you have “Mozilla/5” listed in your WIA user-agent string components subset you might consider using a regex match feature (available in Windows Server 2016 or later) to enable WIA for anything but AtlassianMobileApp.
Alternatively, you can also achieve the same result by replacing the broad-level “Mozilla/5” component with the narrowed ones:
This way only requests coming from Windows or macOS will be redirected to WIA. The mobile apps won’t go through WIA.
Not an admin? Send this page to your administrator and ask them to investigate the issue for you.