Use Fisheye/Crucible with POST binding
Update
Beginning with Fisheye/Crucible 4.8.6, there is no longer a need to update the xercesImpl library. You can seamlessly utilize the latest marketplace build of SAML Single Sign-On for Fisheye/Crucible without making any adjustments to your instance setup.
Setup for older Fisheye/Crucible instances (prior 4.8.6)
We recommend using REDIRECT binding in our Fisheye/Crucible app. If you cannot use REDIRECT binding with your Identity Provider follow these steps to make POST binding work in the Marketplace release of our Fisheye/Crucible app:
- Shut down your Fisheye/Crucible server.
- Go to the applications lib folder (e.g. /opt/atlassian/fecru/lib) and move xercesImpl-2.7.1.jar outside of this folder (e.g. to your home directory).
- Download xercesImpl-2.8.0.jar from Maven Central (xercesImpl-2.8.0.jar) and place it in the applications lib folder.
- if the above link to the jar is not valid anymore, please try searching it instead via here: https://search.maven.org/artifact/xerces/xercesImpl/2.8.0/jar and download it from the result page
- Start your Fisheye/Crucible server.
- It could be possible that you have to change the Login Binding* from REDIRECT to POST (Choose your Identity Provider (IdP) settings and scroll down to the ‘ Basic IdP Settings ’ > change the ‘ Login Binding *' from ‘*REDIRECT ’ to ‘ POST ’. Save your changes!)
Background info
Fisheye/Crucible comes with the bundled version 2.7.1 of Xerces that has a bug that takes effect during evaluating the signature of the SAML response. This bug was fixed in Xerces 2.8.0. Until Fisheye/Crucible it shipped with an updated version of Xerces this workaround needs to be applied.
If you want to be notified on news about this Fisheye/Crucible bug, please vote for or watch this issue: https://jira.atlassian.com/browse/FE-7120