Search
  • Julie Gums

How to disable the standard login form in a Single Sign-On setup?

Updated: Aug 6


Question

How to disable the standard login form in a Single Sign-On setup?


3 options to disable the standard login form

Our plugin redirects unauthenticated users to the identity provider instead of showing the login page. You can still reach the traditional login page by adding ?nosso to the traditional login URL. This is often used to allow login with a local user (e.g., local admin accounts, a few third-party contractors).


If you want to disable that function, then uncheck the parameter “enable nosso”. It means you could still authenticate with a local user, for example, via the basic authentication on the REST API (http://sso.works/enablenossoblog)


If your goal is to disable traditional username/password authentication entirely, this is possible as well with the "Deny Password Authenticator”. This authenticator completely blocks all username/password access authentication to your Atlassian Jira/Confluence/Bamboo/Bitbucket. There is also the possibility to exempt some people from that by putting them in group “allow-password-login.”


?nosso

For bypassing the Single Sign On, please use one of the following URLs:

Jira: https://<jira-baseurl>/login.jsp?nosso
Confluence: https://<confluence-baseurl>/login.action?nosso
Bitbucket: https://<bitbucket-baseurl>/login?nosso
Bamboo
Bamboo 5: https://<bamboo-baseurl>/userlogin!default.action?nosso
Bamboo 6 and later: https://<bamboo-baseurl>/userlogin!doDefault.action?nosso
Fisheye-Crucible: https://<fisheye-baseurl>/login?nosso

Enable nosso

By default, the username/password login page can be accessed by adding the parameter nosso to the appropriate login page url:

  • Jira: https://<baseurl>/login.jsp?nosso

  • Confluence: https://<baseurl>/login.action?nosso

  • Bitbucket: https://<baseurl>/login?nosso

  • Bamboo 5: https://<baseurl>/userlogin!default.action?nosso

  • Bamboo 6: https://<baseurl>/userlogin!doDefault.action?nosso

This can be disabled in the Addon's configuration's redirection-tab.

This setting can be changed using a REST-endpoint to allow login if the SSO fails for any reason:

  1. Method GET

  2. URL: https://<baseUrl>/rest/samlsso-admin/1.0/nosso

  3. Usage: check status

  4. cURL example: curl -u adminuser:password -X GET https://<baseUrl>/rest/samlsso-admin/1.0/nosso

  5. Method PUT

  6. URL: https://<baseUrl>/rest/samlsso-admin/1.0/nosso/on

  7. Usage: enable password login

  8. cURL example: curl -u adminuser:password -X PUT https://<baseUrl>/rest/samlsso-admin/1.0/nosso/on

  9. Method PU

  10. URL: https://<baseUrl>/rest/samlsso-admin/1.0/nosso/off

  11. Usage: disable password login

  12. cURL example: curl -u adminuser:password -X PUT https://<baseUrl>/rest/samlsso-admin/1.0/nosso/off

Deny Password Authenticator

Bitbucket Server

In Bitbucket Server, just enable deny password login on the plugin configuration page. After that, only users with System Administrator privileges or members of a group named allow-password-login can use a password for authentication. You need to create that group, if it is not existing yet.

Passwords will work again as soon as the SAML SSO app is disabled or uninstalled.


Jira, Confluence And Bamboo

In Jira, Confluence and Bamboo, password authentication can be blocked by installing a special authenticator in the system: Download the authenticator from http://builds.resolution.de/denypasswordauthenticator-2.0.0.jar

Copy denypasswordauthenticator-<version>.jar into the applications lib directory, e.g.

Jira /opt/atlassian/jira/jira/WEB-INF/lib
Confluence /opt/atlassian/confluence/confluence/WEB-INF/lib
Bamboo /opt/atlassian/bamboo/atlassian-bamboo/WEB-INF/lib

Please ensure that only one version of the file is in that directory.


Jira

Edit seraph-config.xml in the classes-folder, e.g. /opt/atlassian/jira/atlassian-jira/WEB-INF/classes/seraph-config.xml 

Comment out the existing authenticator definition and replace it with de.resolution.samlsso.authenticator.JiraDenyPasswordAuthenticator

<!-- <authenticator class="com.atlassian.jira.security.login.JiraSeraphAuthenticator"/>  --> 
<authenticator class="de.resolution.samlsso.authenticator.JiraDenyPasswordAuthenticator" />

Important!

You can also exclude users with System Administrator privileges from using local usernames/passwords to log in. However, please be aware that you could lock yourself out of the system if this version is not used correctly, as it could prevent Admin users from logging in to the system if they are not members of the allow-password-login group nor do they have any SSO credentials.

If the password-access for System-Administrators is blocked, using Jira as Directory for other applications like Confluence will no longer work.

In that case, please edit the seraph-config.xm file with the below:

<!-- <authenticator class="com.atlassian.jira.security.login.JiraSeraphAuthenticator"/> --> <authenticator class="de.resolution.samlsso.authenticator.JiraDenyPasswordForSysadminsAuthenticator" />

Confluence

Edit seraph-config.xml in the classes-folder, e.g.  /opt/atlassian/confluence/confluence/WEB-INF/classes/seraph-config.xml

Comment out the existing authenticator definition and replace it with de.resolution.samlsso.authenticator.ConfluenceDenyPasswordAuthenticator

<!-- <authenticator class="com.atlassian.confluence.user.ConfluenceAuthenticator"/>  -->
<authenticator class="de.resolution.samlsso.authenticator.ConfluenceDenyPasswordAuthenticator" />

If you install a custom authenticator in Confluence, some functionality that relies on password authentication is automatically disabled:

  • web sudo

  • captcha

  • password confirmation on email change

To overwrite this behaviour use the password.confirmation.disabled flag. Please refer to this ticket for more information.


Important!

You can also exclude users with System Administrator privileges from using local usernames/passwords to log in. However, please be aware that you could lock yourself out of the system if this version is not used correctly, as it could prevent Admin users from logging in to the system if they are not members of the allow-password-login group nor do they have any SSO credentials.

In that case, please edit the seraph-config.xm file with the below:

<!-- <authenticator class="com.atlassian.confluence.user.ConfluenceAuthenticator"/> --> <authenticator class="de.resolution.samlsso.authenticator.ConfluenceDenyPasswordForSysadminsAuthenticator" />

Bamboo

Edit seraph-config.xml in the classes-folder, e.g.  /opt/atlassian/bamboo/atlassian-bamboo/WEB-INF/classes/seraph-config.xml

Comment out the existing authenticator definition and replace it with de.resolution.samlsso.authenticator.BambooDenyPasswordAuthenticator

<!-- <authenticator class="com.atlassian.bamboo.user.authentication.BambooAuthenticator"/>  -->
<authenticator class="de.resolution.samlsso.authenticator.BambooDenyPasswordAuthenticator" />

Important!

You can also exclude users with System Administrator privileges from using local usernames/passwords to log in. However, please be aware that you could lock yourself out of the system if this version is not used correctly, as it could prevent Admin users from logging in to the system if they are not members of the allow-password-login group nor do they have any SSO credentials.

In that case, please edit the seraph-config.xm file with the below:

<!-- <authenticator class="com.atlassian.bamboo.user.authentication.BambooAuthenticator"/> --> <authenticator class="de.resolution.samlsso.authenticator.BambooDenyPasswordForSysadminsAuthenticator" />


Restart Jira, Confluence or Bamboo after changing the seraph configuration file.

After that, only users with System Administrator privileges or members of the group named allow-password-login can bypass SSO and use a local password for authentication. You need to create that group, if it is not existing yet.

platinum_low-res.png

Newsletter      Support      Marketplace      Documentation      Imprint      Privacy Policy