Starting with version 3.6.0, the SAML Single Sign-On app can delegate WebSudo authentication to the configured SAML Identity Provider (IdP).

As of version 6.6.0, WebSudo authentication is also supported for OpenID Connect configurations.

Limitations

• WebSudo with SSO does not work with transient NameIDs.
  This is because the SAML NameID from the additional authentication must be the same as the one from the initial login.
  

• WebSudo with SSO does not work if the Set RememberMe Cookie option is enabled. Once the Remember Me cookie is used to re-establish a user session, it is no longer considered a SAML session. If the blue reauthenticate button does not appear as expected, the only current workaround is to log out and log in again using SAML SSO. To ensure WebSudo functions correctly, please disable the Set RememberMe Cookie option as shown below.
  

Configuration

The Enable additional authentication setting is enabled by default. This feature allows WebSudo and supported third-party apps to request re-authentication from the Identity Provider (IdP) instead of asking for the user’s password again.

The following options are available in the Additional authentication (WebSudo) section:

• Enable additional authentication (enabled by default)
  Activates IdP-based re-authentication for admin actions and third-party apps that require additional confirmation (e.g. WebSudo).

• Request new authentication from IdP for additional authentication (enabled by default)
  Sends a SAML request with the forceAuthn flag to explicitly trigger a fresh login at the IdP, rather than reusing an existing SSO session. This helps ensure the additional authentication is truly validated by the IdP. Since version 6.6.0, this option can be disabled, in which case the SAML request is sent without the forceAuthn flag.

• Hide password field for additional authentication (optional)
  When enabled, the local password field is removed from the additional authentication page.

WebSudo Flow with Re-Authentication Button

If the current admin user is logged in using SAML and additional authentication is enabled for the IdP the user authenticated with, the WebSudo page will show a Re-Authenticate button alongside the default local password prompt provided by Atlassian. To hide the password field and enforce SSO-only re-authentication, the admin must enable the optional "Hide password field for additional authentication" setting in the additional authentication configuration.

Clicking the Re-Authenticate button triggers a SAML authentication request, including the forceAuthn flag (depending on your configuration), to revalidate the user’s identity through the Identity Provider.

A new browser window with the IdP's authentication page will be opened, where the user needs to authenticate again.

After successful authentication, starting the WebSudo session must be confirmed before the window is closed automatically:

When the Re-Authenticate Button Does Not Appear

In some cases, the Re-Authenticate button is not displayed on the WebSudo page. This happens when:

• The session was restored using the Remember Me cookie rather than a fresh SAML login.

• The admin user logged in with a local username and password instead of using SAML SSO.

In these situations, the WebSudo screen shows only the standard password prompt and a message indicating that you're not logged in via Single Sign-On.

To proceed with SSO-based re-authentication, you need to log out and log in again via your Identity Provider.