Important Update Effective February 1, 2024!
Due to recent changes in Jira and Confluence, we've made the tough decision to discontinue the OpenID Connect (OIDC)/OAuth app and no longer provide new versions for the newest Jira/Confluence releases as of January 31, 2024.
This is due to some necessary components no longer shipping with Jira/Confluence, which would require some extensive rewrites of the OIDC App.
Important Update! This app will be discontinued soon!
Due to recent changes in Jira, which no longer ships with some components required for our Read Receipts app to run, we've made the tough decision to discontinue the app, as of Februar 5, 2025.
Important Update! This app will be discontinued soon!
We've made the tough business decision to discontinue the app, as of January 11, 2025.
Nested Groups via ADFS/SAML
We do support Nested Groups in principle but there is something special to note when working together with ADFS.
ADFS will always "flatten" any nested Group relationships.
Example Scenario
Let's assume the User "ExampleUser" is part of the following Groups:
- "Domain Users", "Domain Admins", "childgroup"
There is also a Group hierarchy as follows:
- "grandfathergroup" contains "fathergroup" which contains "childgroup"
So ultimately the User belongs to all 5 Groups but he is part of "grandfathergroup" & "farthergroup" by a nested relationship.
Groups claims from ADFS
ADFS will transmit only "flattened" relationship to the Plugin via SAML, so the message from ADFS will look like this:
"http://schemas.xmlsoap.org/claims/Group": [
"Domain Admins",
"Domain Users",
"childgroup",
"fathergroup",
"grandfathergroup"
],
In this message the Plugin cannot determine the nested relationship.
So it would mean in Confluence/Jira the Plugin will make the User to a direct member of all the five groups:
- "Domain Admins",
- "Domain Users",
- "childgroup",
- "fathergroup",
- "grandfathergroup"
Consequences
From a Security & Rights management this is usually not an Issue. It's still possible to assign rights & roles to any of these groups and as the user is part of each of them, hence getting the correct rights.
If the user is getting removed from the "childgroup" for example, in the next SAML message there will only be the following groups:
"http://schemas.xmlsoap.org/claims/Group": [
"Domain Admins",
"Domain Users"
],
So the Plugin will remove the User from the 3 groups he no longer is part of:
- "childgroup",
- "fathergroup",
- "grandfathergroup"