1. Atlassian Labs Avatar Atlassian Labs
  2. Partner Integrations
  3. atlascode
  4. Issues

Allow SAML SSO as authentication method

Issue #237 resolved
Nestor Rodriguez created an issue

Hi Atlassian team!

We are trying this plugin and it seems a good one. There is one problem, the developers in our company don’t have the password of their users because we use SSO as authentication method. Right now, the plugin allows to connect to a Jira Server instance but only using username/password. Is SAML SSO authentication method something you have in your backlog? If not, are you planning to add it?

Thanks!

Official response

Comments (30)

  3. Alastair Wilkes

    Hi Nestor,

    This is high on our priority list, but we do not have a resolution yet.

    Thanks,
    Alastair

  5. Alastair Wilkes

    We'll keep looking into other options, but the preferred and simplest solution is unfortunately blocked by the lack of app passwords/API tokens for Jira, as noted in this open feature request: https://jira.atlassian.com/browse/JRASERVER-67869

    As a result, I am putting this ticket "On Hold." My apologies to those of you who can't take advantage of the extension yet.

  6. Michael Metcalf

    Hey @Alastair Wilkes ,

    If I may add here, we use SSO against the Jira Server in our organization (along with a fair amount of VSCode users 🙂), and across systems ideally we try to discourage folks from creating long-lived/unattributed user centric API tokens or bypassing SSO in the initial token mint (i.e ?auth_fallback is a thing)

    For Jira specifically there have been scenarios where we have build internal tooling/clients that perform the currently supported Connected Apps OAuth (1.0a) flow in Jira Server. Its not great from a development experience, but our users gain the ability to discern/revoke api clients/tokens more clearly in the event they lose their machine or the token, etc.

    I can appreciate that this most likely a non-inconsequential level of effort to support this, however perhaps its worth supporting this in the name of better user security, or alternatively push on the JRASERVER team to support OAuth2 in a fashion more aligned with what is implemented in Jira Cloud. (As opposed to the User Centric token proposal in JRASERVER-67869)

    Cheers,
    Michael

  7. Alastair Wilkes

    Hi Michael,

    Thanks for the feedback and suggestions!

    I totally agree that a proper OAuth flow is the best long-term solution. We evaluated using the existing OAuth flow but felt it wasn’t appropriate for our use case given the complicated admin setup requirements. We may revisit that decision at a later time, but right now we’re focused on other priorities.

    However, your suggestion to advocate for OAuth2 on the Server side is a good one, and I will engage that team for discussion.

    Best,
    Alastair

  10. Rudy Dullier

    Just found that issue while trying the extension.

    So the issue is on hold and the account of Alastair is deactivated.

    Great 🙂

  11. Jonathan Doklovic Account Deactivated

    @Rudy Dullier This issue was put on hold due to the lack of options to move forward. We will continue to look for ways around this issue.

  12. Edward Muller

    FWIW: There are ways to do the oauth flow from in vscode, several other extensions utilize it.

  13. Hartmut Leister

    @Edward Muller But not the Atlassian/Jira extensions, no?

    But the problem here is, that

    1. users in this case don’t have knowledge of their Jira passwords
      (since Jira is logged in via SSO)
    2. users should not have to enter their cleartext Jira password into third party software
      (even if they knew them)

    @{557057:3695b794-cde3-43a2-99aa-c0fc6151b754} Is there a timeline for a workaround?

  14. Edward Muller

    @Hartmut Leister That is correct, I know of no Jira extensions that do that. Also, those extensions that utilize oauth flows don’t require passwords. I think they have the extension setup a local web server that completes the oauth exchange.

  15. Hartmut Leister

    There’s movement in Jira - they started working on API tokens in August:

    Atlassian Update – 20 August 2020

    Hi everyone,

    thank you for your votes and comments on this issue. We would like to inform that our team has started working on the ability to generate API tokens.

    We’re now gathering insights as to the final shape of the solution and would like your feedback on the matter:

    * How would you inform your end-users about this new possibility?

    * Do you need to limit the access to this functionality?

    * Does your company have any policies regarding the usage of access tokens? If yes, please share more details with us.

    We’d love to hear your feedback, so please share your thoughts in the comments below or please reach out to us by writing directly at vpunjabi(at)atlassian.com.

    Your feedback would help us decide if the solution we’re building would work well for you.

    Thank you.
    Grazyna Kaszkur
    Product Manager, Jira Server and Data Center

    see https://jira.atlassian.com/browse/JRASERVER-67869?focusedCommentId=2486285&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-2486285

  17. Mikel Pérez

    I was very excited today to discover the vscode Jira plugin but seems like I’ll have to wait

  18. Jonathan Doklovic Account Deactivated

    @Dvir Yitzchaki If you have upgraded to a Jira version that has the fix for JRASERVER-67869 then you should be able to create an API token. The token works as a replacement for your password, so you just need to auth using the vscode extension using your regular username and the token as the password.

    This also requires your admin to allow API requests to use the token (basic) authentication for rest requests and not just SAML.

  19. kvart714

    Hello.

    Basic authentication is not secure and is disabled for us. We have indeed updated to the latest version (including JRASERVER-67869) and now I have the ability to use Personal Access Tokens. I am already accessing the API using PAT as a Bearer token.

    It seems that all that remains for vscode is to add Bearer Authorization.

  22. Tobias Spaltenberger

    Hello Jonathan,

    because I am not allowed to view the mentioned issue VSCODE-1336, I would like to ask if there is a roadmap or date till you think this (imho) tiny update with great impact will be shipped?

    Best regards

  23. Drew Haridis

    Hi Jonathan.. i’ve been watching this ticket since.. Oct of 2020.

    Please be an advocate of change. This is a much needed thing.

  24. Jonathan Doklovic Account Deactivated

    Just wanted to give a quick update. We are indeed working on adding support for Personal Access Tokens and hope to have it in a release soon.

    It’s more than a trivial change since it requires new UI and a new auth type to store, but we’re on it.

  26. Nick Rundquist

    We’ve added support for personal access tokens in 2.9.0. If you go to the extensions settings and select “Add custom Jira site” you’ll be given the option to use a personal access token once you’ve entered the URL for your instance.

  29. Stephan Wissel

    Our central services has disabled PAT on our on-premises installation. The only option in OAuth authentication tokens. Any plans to add support for those?

  30. Nikolaos Vergos Account Deactivated

    SSO user here too - I can authenticate to our company’s Jira via PAT, but not Bitbucket unfortunately. Any plans to incorporate that? @Nick Rundquist

  31. Log in to comment
Assignee
Type
enhancement
Priority
major
Status
resolved
Component
Authentication
Votes
21
Watchers
39