Problem

We've noticed that if we log in using SSO with a jira/confluence-administrator user, when we try to go to an administration page, we are prompted to re-enter the user password. Why the SAML Single Sign On plugin does not perform the authentication process ?

Solution

The WebSudo component does not use the SAML SSO Plugin for authentication. You essentially have two options. 

  1. You login/create a normal administrator account with a JIRA/Confluence password and use him to access the administration section.
  2. Disable WebSudo: https://confluence.atlassian.com/adminjiraserver074/configuring-secure-administrator-sessions-881684205.html

A little more background:

There isn’t a good Way to implement SSO with WebSudo. Lets assume we could have WebSudo do single sign on … what would happen then is:
  1. You login to Confluence/Jira via SSO so entering your Username & Password at the IdP (if you weren’t already authenticated there).
  2. Once you want to become admin, WebSudo would send you to the IdP for authentication.
  3. The IdP sees you are already authenticated and sends you back to Jira/Confluence as AUTHENTICATED, WITHOUT asking you for the password again.
  4. Here you go you are in the admin section.

Both from a Usability & Security perspective this is actually pretty much the same as having turned off the password prompt.
To out knowledge there is no Way via SAML Protocol to force the IdP to ask for the Password again – since our plugin can’t know the password (that would defeat the whole SAML Security architecture) we have no other Way than sending the request to the IdP.