After enabling SSO, existing users can bypass the SAML authentication and keep logging in with their password. Since version 2.1.0, this can be disabled (see .Disable password login with nosso-parameter v2.1.0), but this does not disable password authentication completely, e.g. HTTP basic authentication is still possible and there are a few situations where Jira may show the anonymous dashboard page containing a login gadget.

Password authentication can now be disabled, but this requires some configuration in Jira, Confluence or Bamboo.

Bitbucket Server

In Bitbucket Server, just enable "deny password login" on the plugin configuration page. After that, only users with System Administrator privileges or members of a group named allow-password-login can use a password for authentication.

Passwords will work again as soon as the addon is disabled or uninstalled.

Jira, Confluence and Bamboo

In Jira, Confluence and Bamboo, password authentication can be blocked by installing a special authenticator in the system:

Download the authenticator from http://builds.resolution.de/denypasswordauthenticator-1.0.2.jar

Copy denypasswordauthenticator-<version>.jar into the applications lib-folder, e.g. /opt/atlassian/jira/jira/WEB-INF/lib for Jira, /opt/atlassian/confluence/confluence/WEB-INF/lib in Confluence or /opt/atlassian/bamboo/atlassian-bamboo/WEB-INF/lib for Bamboo.
Ensure that only one version of this file is in that directory

Jira

Edit seraph-config.xml in the classes-folder, e.g. /opt/atlassian/jira/atlassian-jira/WEB-INF/classes/seraph-config.xml. Comment out the existing authenticator definition and replace it with de.resolution.samlsso.authenticator.JiraDenyPasswordAuthenticator, so the file should look like this:

<!-- <authenticator class="com.atlassian.jira.security.login.JiraSeraphAuthenticator"/>  -->
<authenticator class="de.resolution.samlsso.authenticator.JiraDenyPasswordAuthenticator" />

Confluence

Edit seraph-config.xml in the classes-folder, e.g. /opt/atlassian/confluence/confluence/WEB-INF/classes/seraph-config.xml. Comment out the existing authenticator definition and replace it with de.resolution.samlsso.authenticator.ConfluenceDenyPasswordAuthenticator, so the file should look like this:

<!-- <authenticator class="com.atlassian.confluence.user.ConfluenceAuthenticator"/>  -->
<authenticator class="de.resolution.samlsso.authenticator.ConfluenceDenyPasswordAuthenticator" />

If you install a custom authenticator in Confluence some functionality that relies on password confirmation is automatically disabled:

  • web sudo
  • captcha
  • password confirmation on email change

To overwrite this behavior use password.confirmation.disabled flag. See this ticket for more information.

Bamboo

Edit seraph-config.xml in the classes-folder, e.g. /opt/atlassian/bamboo/atlassian-bamboo/WEB-INF/classes/seraph-config.xml. Comment out the existing authenticator definition and replace it with de.resolution.samlsso.authenticator.BambooDenyPasswordAuthenticator, so the file should look like this:

<!-- <authenticator class="com.atlassian.bamboo.user.authentication.BambooAuthenticator"/>  -->
<authenticator class="de.resolution.samlsso.authenticator.BambooDenyPasswordAuthenticator" />

Restart the application after changing the seraph configuration file.

After that, only users with System Administrator privileges or members of a group named allow-password-login can use a password for authentication.