Issue #266 was marked as a duplicate of this issue.
Allow SAML SSO as authentication method
Hi Atlassian team!
We are trying this plugin and it seems a good one. There is one problem, the developers in our company don’t have the password of their users because we use SSO as authentication method. Right now, the plugin allows to connect to a Jira Server instance but only using username/password. Is SAML SSO authentication method something you have in your backlog? If not, are you planning to add it?
Thanks!
Official response
Comments (30)
-
-
reporter Any update on this @Alastair Wilkes ?
-
Hi Nestor,
This is high on our priority list, but we do not have a resolution yet.
Thanks,
Alastair -
reporter Thanks for the update @Alastair Wilkes !
-
- changed status to on hold
We'll keep looking into other options, but the preferred and simplest solution is unfortunately blocked by the lack of app passwords/API tokens for Jira, as noted in this open feature request: https://jira.atlassian.com/browse/JRASERVER-67869
As a result, I am putting this ticket "On Hold." My apologies to those of you who can't take advantage of the extension yet.
-
Hey @Alastair Wilkes ,
If I may add here, we use SSO against the Jira Server in our organization (along with a fair amount of VSCode users ), and across systems ideally we try to discourage folks from creating long-lived/unattributed user centric API tokens or bypassing SSO in the initial token mint (i.e
?auth_fallback
is a thing)For Jira specifically there have been scenarios where we have build internal tooling/clients that perform the currently supported Connected Apps OAuth (1.0a) flow in Jira Server. Its not great from a development experience, but our users gain the ability to discern/revoke api clients/tokens more clearly in the event they lose their machine or the token, etc.
I can appreciate that this most likely a non-inconsequential level of effort to support this, however perhaps its worth supporting this in the name of better user security, or alternatively push on the JRASERVER team to support OAuth2 in a fashion more aligned with what is implemented in Jira Cloud. (As opposed to the User Centric token proposal in JRASERVER-67869)
Cheers,
Michael -
Hi Michael,
Thanks for the feedback and suggestions!
I totally agree that a proper OAuth flow is the best long-term solution. We evaluated using the existing OAuth flow but felt it wasn’t appropriate for our use case given the complicated admin setup requirements. We may revisit that decision at a later time, but right now we’re focused on other priorities.
However, your suggestion to advocate for OAuth2 on the Server side is a good one, and I will engage that team for discussion.
Best,
Alastair -
Issue
#361was marked as a duplicate of this issue. -
Hi,
as there are plugins to offer API Tokens for Jira (e.g. https://marketplace.atlassian.com/apps/1221586/api-token-authentication-jira?hosting=server), could the then created API token used as a password?
If not: Would it be able to add API token usage to atlascode (despite Jira Server not supllying them out of the box)
Sunny greetings and thank you
Hartmut
-
Just found that issue while trying the extension.
So the issue is on hold and the account of Alastair is deactivated.
Great
-
Account Deactivated @Rudy Dullier This issue was put on hold due to the lack of options to move forward. We will continue to look for ways around this issue.
-
FWIW: There are ways to do the oauth flow from in vscode, several other extensions utilize it.
-
@Edward Muller But not the Atlassian/Jira extensions, no?
But the problem here is, that
- users in this case don’t have knowledge of their Jira passwords
(since Jira is logged in via SSO) - users should not have to enter their cleartext Jira password into third party software
(even if they knew them)
@{557057:3695b794-cde3-43a2-99aa-c0fc6151b754} Is there a timeline for a workaround?
- users in this case don’t have knowledge of their Jira passwords
-
@Hartmut Leister That is correct, I know of no Jira extensions that do that. Also, those extensions that utilize oauth flows don’t require passwords. I think they have the extension setup a local web server that completes the oauth exchange.
-
There’s movement in Jira - they started working on API tokens in August:
Atlassian Update – 20 August 2020
Hi everyone,
thank you for your votes and comments on this issue. We would like to inform that our team has started working on the ability to generate API tokens.
We’re now gathering insights as to the final shape of the solution and would like your feedback on the matter:
* How would you inform your end-users about this new possibility?
* Do you need to limit the access to this functionality?
* Does your company have any policies regarding the usage of access tokens? If yes, please share more details with us.
We’d love to hear your feedback, so please share your thoughts in the comments below or please reach out to us by writing directly at vpunjabi(at)atlassian.com.
Your feedback would help us decide if the solution we’re building would work well for you.
Thank you.
Grazyna Kaszkur
Product Manager, Jira Server and Data Center -
https://jira.atlassian.com/browse/JRASERVER-67869 has been resolved, can this be worked on now?
-
I was very excited today to discover the vscode Jira plugin but seems like I’ll have to wait
-
Account Deactivated @Dvir Yitzchaki If you have upgraded to a Jira version that has the fix for JRASERVER-67869 then you should be able to create an API token. The token works as a replacement for your password, so you just need to auth using the vscode extension using your regular username and the token as the password.
This also requires your admin to allow API requests to use the token (basic) authentication for rest requests and not just SAML.
-
Hello.
Basic authentication is not secure and is disabled for us. We have indeed updated to the latest version (including JRASERVER-67869) and now I have the ability to use Personal Access Tokens. I am already accessing the API using PAT as a Bearer token.
It seems that all that remains for vscode is to add Bearer Authorization.
-
Account Deactivated Linked to VSCODE-1336
-
Account Deactivated - changed status to open
-
Hello Jonathan,
because I am not allowed to view the mentioned issue VSCODE-1336, I would like to ask if there is a roadmap or date till you think this (imho) tiny update with great impact will be shipped?
Best regards
-
Hi Jonathan.. i’ve been watching this ticket since.. Oct of 2020.
Please be an advocate of change. This is a much needed thing.
-
Account Deactivated Just wanted to give a quick update. We are indeed working on adding support for Personal Access Tokens and hope to have it in a release soon.
It’s more than a trivial change since it requires new UI and a new auth type to store, but we’re on it.
-
Thank You! Very excited.
-
We’ve added support for personal access tokens in 2.9.0. If you go to the extensions settings and select “Add custom Jira site” you’ll be given the option to use a personal access token once you’ve entered the URL for your instance.
-
- changed status to resolved
-
Thx, it works perfect!
-
Our central services has disabled PAT on our on-premises installation. The only option in OAuth authentication tokens. Any plans to add support for those?
-
Account Deactivated SSO user here too - I can authenticate to our company’s Jira via PAT, but not Bitbucket unfortunately. Any plans to incorporate that? @Nick Rundquist
- Log in to comment
We'll keep looking into other options, but the preferred and simplest solution is unfortunately blocked by the lack of app passwords/API tokens for Jira, as noted in this open feature request: https://jira.atlassian.com/browse/JRASERVER-67869
As a result, I am putting this ticket "On Hold." My apologies to those of you who can't take advantage of the extension yet.