We've noticed that if we log in using SSO with a Jira/ Confluence administrator user and navigate to an administration page,
we are prompted to re-enter the user password. Why does the SAML Single Sign On app not perform the authentication process ?
The Atlassian component responsible for that (WebSudo) does not use the SAML SSO app for authentication.
You essentially have two options:
- Login/ Create an administrator account with a Jira/ Confluence password and use this to access the administration sections
- Disable WebSudo permanently:
- Jira: https://confluence.atlassian.com/adminjiraserver074/configuring-secure-administrator-sessions-881684205.html
- Confluence: https://confluence.atlassian.com/doc/configuring-secure-administrator-sessions-218269595.html
A little more background:
What would happen then is:
- You login to Confluence/ Jira via SSO entering your username & password at the IdP (if you aren’t already authenticated)
- Once you want to become an admin, WebSudo would send you to the IdP for authentication again
- The IdP detects that you are authenticated already, sending you back to Jira/ Confluence WITHOUT asking for the password again ...
- ... sending you to the admin sections without having done anything really
Since our plugin can’t know the password (which would defeat the whole SAML security purpose), we have no other option than sending the request to the IdP.