SAML Single Sign-OnSAML Single Sign-On
Try For Free

Alternate AssertionConsumerServiceURL in SAML-Request

Starting with version 2.2.0, the AssertionConsumerServiceUrl in the SAML request can be derived from the URL the initial request was made to. This allows the use of SSO in systems which are accessed through different base URLs.

Please be aware of these limitations:

  • The Atlassian Server or Data Center applications should always accessed using the configured base URL. Even if this is working in most cases, it is not supported (see https://confluence.atlassian.com/adminjiraserver/configuring-the-base-url-938847830.html or https://confluence.atlassian.com/doc/configuring-the-server-base-url-148592.html)

  • In Atlassian Data Center environments, only the configured base URL will work

  • The alternate URLs are not included in the Metadata, so they need to be added to the IdP manually

    • Please verify that your IdP supports this configuration. You may have to add the second SSO URLs to the Service Provider Setting on your IdP. Depending on your IdP the step is sometimes called “add multiple requestable SSO URLs” or “Allow this app to request other SSO URLs”, “multiple Reply-Urls”.

  • Since the URL is derived from the host header, this may allow for a host header injection. Please see https://wiki.resolution.de/x/b4VMC

  • There will also be potential Issues with URLs in E-Mail notifications for example.

  • Also note that you may have to do other re-writes on your reverse proxy to make other Confluence / Jira functions work, that have nothing to do with our SAML Single Sign On Plugin as such. Unfortunately, we don’t know of a good guide that lists all of those

To enable a Confluence or Jira running under two (or more) different URLs at the same time you have to enable Use Base URL from Request in the Request Settings section on the Identity Providers settings tab:
image2023-9-11_21-7-22.png

Example with Jira Server or Data Center:

A Jira instance with the base URL https://jira.internal.example.com is also available at https://jira.external.example.com. A SAML-Request usually looks like this:

  1. <?xml version="1.0" encoding="UTF-8"?>
  2. <saml2p:AuthnRequest
  3. xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://jira.internal.example.com/plugins/servlet/samlsso" Destination="https://someidp.example.com" ID="_b655e6b787907cb93fb98344e0560c3f" IssueInstant="2018-05-07T08:45:24.563Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
  4. [...]
  5. </saml2p:AuthnRequest>

If you enable Use Base URL from Request and access the system via https://jira.external.example.com, it will look like this:

  1. <?xml version="1.0" encoding="UTF-8"?>
  2. <saml2p:AuthnRequest
  3. xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://jira.external.example.com/plugins/servlet/samlsso" Destination="https://someidp.example.com" ID="_b655e6b787907cb93fb98344e0560c3f" IssueInstant="2018-05-07T08:45:24.563Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
  4. [...]
  5. </saml2p:AuthnRequest>



This site uses cookies to deliver its service & to analyse traffic. By browsing this site, you accept the privacy policy.

Our Wiki uses cookies

We want to give you the best possible experience on our website. For this we use technically required cookies and, if you agree, cookies for analysis and marketing purposes. You can find more information about the cookies in our Privacy Policy. By tapping ‘Accept All,’ you consent to the use of these methods by us and third parties.

Necessary
Always Active
Analytics
Advertisement
Other