We've noticed that if we log in using SSO with a Jira/ Confluence administrator user and navigate to an administration page,
we are prompted to re-enter the user password. Why does the SAML Single Sign On app not perform the authentication process ?


The Atlassian component responsible for that (WebSudo) does not use the SAML SSO app for authentication.
You essentially have two options:

  1. Login/ Create an administrator account with a Jira/ Confluence password and use this to access the administration sections
    1. in order to login locally that way, without SSO, click here to see how
  2. Disable WebSudo permanently: 

A little more background:

There isn’t a good way to implement SSO with WebSudo. Let's assume we could have WebSudo use Single Sign On.
What would happen then is:
  1. You login to Confluence/ Jira via SSO entering your username & password at the IdP (if you aren’t already authenticated)
  2. Once you want to become an admin, WebSudo would send you to the IdP for authentication again
  3. The IdP detects that you are authenticated already, sending you back to Jira/ Confluence WITHOUT asking for the password again ...
  4. ... sending you to the admin sections without having done anything really

Both from a usability & security perspective this is actually pretty much the same as having turned off the WebSudo password prompt.
To our knowledge there is no way to force the IdP to ask for the password again via the SAML protocol.
Since our plugin can’t know the password (which would defeat the whole SAML security purpose), we have no other option than sending the request to the IdP.