Important Update Effective February 1, 2024!
Due to recent changes in Jira and Confluence, we've made the tough decision to discontinue the OpenID Connect (OIDC)/OAuth app and no longer provide new versions for the newest Jira/Confluence releases as of January 31, 2024.
This is due to some necessary components no longer shipping with Jira/Confluence, which would require some extensive rewrites of the OIDC App.
Important Update! This app will be discontinued soon!
Due to recent changes in Jira, which no longer ships with some components required for our Read Receipts app to run, we've made the tough decision to discontinue the app, as of Februar 5, 2025.
Important Update! This app will be discontinued soon!
We've made the tough business decision to discontinue the app, as of January 11, 2025.
Admin password prompt (WebSudo)
Starting with version 3.6.0, the SAML Single Sign-On app can delegate the WebSudo authentication to the SAML IdP.
Since version 6.6.0 we also support WebSudo authentication for OpenId Connect configurations.
Limitations
Limitations
- WebSudo with SSO does not work with transient NameIDs
This is because the SAML NameID from the additional authentication must be the same as the one from the initial login - WebSudo with SSO does not work with the Set RememberMe Cookie option enabled, so please disable it as pictured below
Once the remember me cookie is used to establish a user session again it is no longer a SAML session.
The only workaround, for now, is to log out and log in with SAML SSO again, should you not see the blue reauthenticate button.
Configuration
Step 1
This is disabled by default. To enable it, click the checkbox Enable additional authentication in the SAML SSO app's IdP configuration.
If the current admin user is logged in using SAML and this setting is enabled for the IdP the user has authenticated with,
the WebSudo page shows a Re-Authenticate button.
Clicking this button will open a new browser window with the IdP's authentication page where the user needs to authenticate again.
The SAML authentication request for this authentication is sent with the flag ForceAuthn="true". This tells the IdP not to rely on an active session but request credentials.
After successful authentication, starting the WebSudo session must be confirmed before the window is closed automatically:
Since version 6.6.0 we added a new option for WebSudo. Force Authentication can now be deactivated. If you disable the option Request new authentication from IdP for additional authentication, the SAMLRequest for additional authentication will then be sent without the forceAuthn flag. We would recommend enabling the option. The option signalizes the IdP to explicitly request a new authentication and not to reuse an existing session.
Step 2
Please also enable the following, provided that you are using version 4.0.7 or later:
Navigate to the Advanced settings and enable the Set Samesite=None on the session cookie checkbox, save the settings and you're good to go.
If you are using an older version and can't or don't want to upgrade, please refer to the alternative options 2, 3, 4 or 5.