Beginning with Fisheye/Crucible 4.8.6, there is no longer a need to update the xercesImpl library. You can seamlessly utilize the latest marketplace build of SAML Single Sign-On for Fisheye/Crucible without making any adjustments to your instance setup.

Setup for older Fisheye/Crucible instances (prior 4.8.6)

We recommend using REDIRECT binding in our Fisheye/Crucible app. If you cannot use REDIRECT binding with your Identity Provider follow these steps to make POST binding work in the Marketplace release of our Fisheye/Crucible app:

  1. Shut down your Fisheye/Crucible server.
  2. Go to the applications lib folder (e.g. /opt/atlassian/fecru/lib) and move xercesImpl-2.7.1.jar outside of this folder (e.g. to your home directory).
  3. Download xercesImpl-2.8.0.jar from Maven Central (xercesImpl-2.8.0.jar) and place it in the applications lib folder.
    1. if the above link to the jar is not valid anymore, please try searching it instead via here: https://search.maven.org/artifact/xerces/xercesImpl/2.8.0/jar and download it from the result page 
  4. Start your Fisheye/Crucible server.
  5. It could be possible that you have to change the Login Binding* from REDIRECT to POST (Choose your Identity Provider (IdP) settings and scroll down to the ‘ Basic IdP Settings ’ > change the ‘ Login Binding *' from ‘*REDIRECT ’ to ‘ POST ’. Save your changes!)

Background info

Fisheye/Crucible comes with the bundled version 2.7.1 of Xerces that has a bug that takes effect during evaluating the signature of the SAML response. This bug was fixed in Xerces 2.8.0. Until Fisheye/Crucible it shipped with an updated version of Xerces this workaround needs to be applied.

If you want to be notified on news about this Fisheye/Crucible bug, please vote for or watch this issue: https://jira.atlassian.com/browse/FE-7120