SAML Single Sign-OnSAML Single Sign-On
Try For Free

Deny Password Authentication

After enabling SSO, existing users can bypass SAML authentication and continue logging in locally with their passwords.
Since version 2.1.0, this can be disabled (see (6.15.x) Disable password login with nosso-parameter), but this still does not disable password authentication completely.

To accomplish this, some configuration in Jira or Confluence is required.

Bitbucket Server

In Bitbucket Server, just enable Block Password Authentication on the plugin configuration page.
After that, only users with System Administrator privileges or members of a group named allow-password-login can use a password for authentication.
You need to create that group if it doesn't exist yet.

Passwords will work again as soon as the SAML SSO app is disabled or uninstalled.

Jira and Confluence

In Jira and Confluence, password authentication can be blocked by installing a special authenticator. Please paste the following link into your browser to download it: http://builds.resolution.de/denypasswordauthenticator-3.2.3.jar

This also worked in Bamboo up to version 8.0.0, but it no longer works in later versions.

New in Version 3.2.3

Compatibility fix for Confluence 10: the sysadmin bypass check (allowSysadmins=true) was using a Confluence API that Atlassian removed in 10.x, causing all local logins to fail after the upgrade. It remains compatible with Confluence 8.x and 9.x. An upgrade is required before moving to Confluence 10 and is recommended for everyone.

New in Version 3.2.2

User and group allow‑/deny‑lists now tolerate spaces around commas. Entries like group-a, group-b work the same as group-a,group-b, so a stray space no longer silently breaks a rule and accidentally allows or blocks a user.

New in Version 3.2.1

Bamboo compatibility only, so it keeps working on newer versions. No configuration change required. Confluence and Jira behavior unchanged.

New in Version 3.2.0

Added new init-parameters deniedUsers, groupAllowOverDeny, and allowWithoutApplicationAccess

New in Version 3.1.0

Added a new init-param allowedUsers for whitelisting usernames.

New in Version 3.0.0

The authenticator can now be configured with init-params. Instead of checking for the fixed group allow-password-login, group names can be configured.

Installation

Copy denypasswordauthenticator-<version>.jar into the applications lib-folder, e.g.,/opt/atlassian/jira/jira/WEB-INF/lib for Jira or /opt/atlassian/confluence/confluence/WEB-INF/lib in Confluence.
Ensure that only one version of this file is in that directory; delete any older versions.

Configuration

Edit seraph-config.xml in the classes folder, e.g.,/opt/atlassian/jira/atlassian-jira/WEB-INF/classes/seraph-config.xml. Comment out the existing authenticator-definition and replace it with de.resolution.samlsso.authenticator.JiraDenyPasswordAuthenticator in Jira or de.resolution.samlsso.authenticator.ConfluenceDenyPasswordAuthenticator in Confluence. Add init-params to the needed section as described below. Here you see all the possibilities from the latest version. Only the required init-params need to be defined in the final configuration:

  1. <!-- <authenticator class="com.atlassian.jira.security.login.JiraSeraphAuthenticator"/> -->
  2. <authenticator class="de.resolution.samlsso.authenticator.JiraDenyPasswordAuthenticator">
  3. <init-param>
  4. <param-name>allowedUsers</param-name>
  5. <param-value>admin</param-value>
  6. </init-param>
  7. <init-param>
  8. <param-name>deniedUsers</param-name>
  9. <param-value>youMustNotLogin</param-value>
  10. </init-param>
  11. <init-param>
  12. <param-name>groupAllowOverDeny</param-name>
  13. <param-value>true</param-value>
  14. </init-param>
  15. <init-param>
  16. <param-name>allowWithoutApplicationAccess</param-name>
  17. <param-value>true</param-value>
  18. </init-param>
  19. <init-param>
  20. <param-name>allowedGroups</param-name>
  21. <param-value>allow.*,withpassword</param-value>
  22. </init-param>
  23. <init-param>
  24. <param-name>deniedGroups</param-name>
  25. <param-value>block.*,nopassword</param-value>
  26. </init-param>
  27. <init-param>
  28. <param-name>allowSysadmins</param-name>
  29. <param-value>true</param-value>
  30. </init-param>
  31. </authenticator>

The application must be restarted after changing the seraph configuration file.

Parameters

deniedUsers

Users can not use their passwords if their usernames match one of these regular expressions; the group checks and the checks from allowedUsers are not applied in this case. Multiple entries are separated with ',':

  1. <init-param>
  2. <param-name>deniedUsers</param-name>
  3. <param-value>passwordOnly</param-value>
  4. </init-param>

allowedUsers

Users can use their passwords if their usernames match one of these regular expressions; the group checks are not applied in this case. Multiple entries are separated with ',':

  1. <init-param>
  2. <param-name>allowedUsers</param-name>
  3. <param-value>admin.*,root</param-value>
  4. </init-param>

allowWithoutApplicationAccess

If this parameter is set to true, users without application access (usually customers in Jira Service Management) can use a password.

  1. <init-param>
  2. <param-name>allowWithoutApplicationAccess</param-name>
  3. <param-value>true</param-value>
  4. </init-param>

allowedGroups

The user can use a password if they are a member of at least one of the groups matching these regular expressions. Multiple entries are separated with ','. In this example, all users in groups starting with allow and/or belong to a group withpassword can log in with basic authentication:

  1. <init-param>
  2. <param-name>allowedGroups</param-name>
  3. <param-value>allow.*,withpassword</param-value>
  4. </init-param>

deniedGroups

The user can use a password if they are NOT a member of any of the groups matching these regular expressions. Multiple entries are separated with ','. In this example, all users in groups whose names start with “block and/or belong to the group nopassword cannot use basic authentication. All other users not belonging to those groups can use basic authentication:

  1. <init-param>
  2. <param-name>deniedGroups</param-name>
  3. <param-value>block.*,nopassword</param-value>
  4. </init-param>

If both allowedGroups and deniedGroups are configured, a user must be a member of a group matching an entry of allowedGroups AND MUST NOT be a member of a group matching an entry of deniedGroups.

groupAllowOverDeny

By default, groupAllowOverDeny is set to false. If both allowedGroups and deniedGroups are configured, users that need to log in with a local password must be members of a group matching an entry of allowedGroups AND MUST NOT be members of a group matching an entry of deniedGroups. If groupAllowOverDeny is set to true, the allowedGroups parameter takes precedence over the deniedGroups. That means users can use a password even when they are members of the deniedGroups, as long as they are also members of the separate allowedGroups.

  1. <init-param>
  2. <param-name>groupAllowOverDeny</param-name>
  3. <param-value>true</param-value>
  4. </init-param>

allowSysadmins

By default, all users with Sysadmin privileges can log in with a password. This can be changed by setting allowSysadmins to false.

  1. <init-param>
  2. <param-name>allowSysadmins</param-name>
  3. <param-value>false</param-value>
  4. </init-param>


When setting this to false and not configuring allowedGroups properly, password authentication is disabled completely!

This can make the instance completely inaccessible if other authentication methods fail (e.g., if the SAML Identity Provider fails)

If password access for System Administrators is blocked, using Jira as a directory for other applications, such as Confluence, will no longer work.

Caveats/ Limitations

Jira

When using a custom authenticator, such as the deny password authenticator, Jira will automatically disable Web Sudo.
Atlassian doesn't support this for Jira, only for Confluence (see below), and they decided not to do the same in Jira: https://jira.atlassian.com/browse/JRASERVER-62615

Confluence

If you install the deny password authenticator in Confluence, some functionality that relies on password authentication is automatically disabled:

  • Web Sudo

  • Captcha

  • Password confirmation on email change

To overwrite this behavior, please use the password.confirmation.disabled as a system property, set to false: https://confluence.atlassian.com/doc/configuring-system-properties-168002854.html
This is an extract of a Linux setenv.sh file, containing that additional parameter in line 17

  1. # Set the JVM arguments used to start Confluence.
  2. # For a description of the vm options of jdk 8, see:
  3. # http://www.oracle.com/technetwork/java/javase/tech/vmoptions-jsp-140102.html
  4. # For a description of the vm options of jdk 11, see:
  5. # https://docs.oracle.com/en/java/javase/11/tools/java.html
  7. CATALINA_OPTS="-XX:+IgnoreUnrecognizedVMOptions ${CATALINA_OPTS}"
  8. CATALINA_OPTS="-XX:-PrintGCDetails -XX:+PrintGCDateStamps -XX:-PrintTenuringDistribution ${CATALINA_OPTS}"
  9. CATALINA_OPTS="-Xlog:gc+age=debug:file=$LOGBASEABS/logs/gc-`date +%F_%H-%M-%S`.log::filecount=5,filesize=2M ${CATALINA_OPTS}"
  10. CATALINA_OPTS="-Xloggc:$LOGBASEABS/logs/gc-`date +%F_%H-%M-%S`.log -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=2M ${CATALINA_OPTS}"
  11. CATALINA_OPTS="-XX:G1ReservePercent=20 ${CATALINA_OPTS}"
  12. CATALINA_OPTS="-Djava.awt.headless=true ${CATALINA_OPTS}"
  13. CATALINA_OPTS="-Datlassian.plugins.enable.wait=300 ${CATALINA_OPTS}"
  14. CATALINA_OPTS="-Xms1024m -Xmx1024m -XX:+UseG1GC ${CATALINA_OPTS}"
  15. CATALINA_OPTS="-Dsynchrony.enable.xhr.fallback=true ${CATALINA_OPTS}"
  16. CATALINA_OPTS="-Dorg.apache.tomcat.websocket.DEFAULT_BUFFER_SIZE=32768 ${CATALINA_OPTS}"
  17. CATALINA_OPTS="-Dpassword.confirmation.disabled=false ${CATALINA_OPTS}"
  18. CATALINA_OPTS="-Djava.locale.providers=JRE,SPI,CLDR ${CATALINA_OPTS}"
  19. CATALINA_OPTS="${START_CONFLUENCE_JAVA_OPTS} ${CATALINA_OPTS}"
  20. CATALINA_OPTS="-Dconfluence.context.path=${CONFLUENCE_CONTEXT_PATH} ${CATALINA_OPTS}"
  21. CATALINA_OPTS="-Djdk.tls.server.protocols=TLSv1.1,TLSv1.2 -Djdk.tls.client.protocols=TLSv1.1,TLSv1.2 ${CATALINA_OPTS}"
  22. CATALINA_OPTS="-XX:ReservedCodeCacheSize=256m -XX:+UseCodeCacheFlushing ${CATALINA_OPTS}"
  24. export CATALINA_OPTS

Please refer to this ticket for more information.