After enabling SSO, existing users can bypass the SAML authentication and keep logging in with their password. Since version 2.1.0, this can be disabled (see .Disable password login with nosso-parameter v2.1.0), but this does not disable password authentication completely, e.g. HTTP basic authentication is still possible.

Password authentication can now be disabled, but this requires some configuration in Jira, Confluence or Bamboo.

This approach is experimental – try it in a testing environment before applying to production. We currently cannot guarantee that there are no impacts for your users.

Bitbucket Server

In Bitbucket Server, just enable "deny password login" on the plugin configuration page. After that, only users with System Administrator privileges or members of a group named allow-password-login can use a password for authentication.

Passwords will work again as soon as the addon is disabled or uninstalled.

Jira, Confluence and Bamboo

In Jira, Confluence and Bamboo, password authentication can be blocked by installing a special authenticator in the system:

Download the authenticator from http://builds.resolution.de/denypasswordauthenticator-1.0.2.jar

Copy denypasswordauthenticator-<version>.jar into the applications lib-folder, e.g. /opt/atlassian/jira/jira/WEB-INF/lib for Jira, /opt/atlassian/confluence/confluence/WEB-INF/lib in Confluence or /opt/atlassian/bamboo/atlassian-bamboo/WEB-INF/lib for Bamboo.
Ensure that only one version of this file is in that directory

Jira

Edit seraph-config.xml in the classes-folder, e.g. /opt/atlassian/jira/atlassian-jira/WEB-INF/classes/seraph-config.xml. Comment out the existing authenticator definition and replace it with de.resolution.samlsso.authenticator.JiraDenyPasswordAuthenticator, so the file should look like this:

<!-- <authenticator class="com.atlassian.jira.security.login.JiraSeraphAuthenticator"/>  -->
<authenticator class="de.resolution.samlsso.authenticator.JiraDenyPasswordAuthenticator" />

Confluence

Edit seraph-config.xml in the classes-folder, e.g. /opt/atlassian/confluence/confluence/WEB-INF/classes/seraph-config.xml. Comment out the existing authenticator definition and replace it with de.resolution.samlsso.authenticator.ConfluenceDenyPasswordAuthenticator, so the file should look like this:

<!-- <authenticator class="com.atlassian.confluence.user.ConfluenceAuthenticator"/>  -->
<authenticator class="de.resolution.samlsso.authenticator.ConfluenceDenyPasswordAuthenticator" />

Bamboo

Edit seraph-config.xml in the classes-folder, e.g. /opt/atlassian/bamboo/atlassian-bamboo/WEB-INF/classes/seraph-config.xml. Comment out the existing authenticator definition and replace it with de.resolution.samlsso.authenticator.BambooDenyPasswordAuthenticator, so the file should look like this:

<!-- <authenticator class="com.atlassian.bamboo.user.authentication.BambooAuthenticator"/>  -->
<authenticator class="de.resolution.samlsso.authenticator.BambooDenyPasswordAuthenticator" />

Restart the application after changing the seraph configuration file.

After that, only users with System Administrator privileges or members of a group named allow-password-login can use a password for authentication.