Versions Compared

Old Version 1

changes.mady.by.user Carmen Wu

Saved on

compared with

New Version Current

changes.mady.by.user Aliven

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

2024年7月

Table of Contents

1 Technical Programs

1.1 Plugin Overview

Single Sign On (SSO), is through the user's one-time authentication login. When a user logs in once on the authentication server, he or she can gain access to other associated systems and applications in the single sign on system, at the same time, this realization does not require the administrator to modify the user's login status or other information, which means that in multiple applications, the user only needs to log in once to access all the mutually trusted application systems.

The SSO plugin is the program that introduces SSO authentication forensics and ultimately login in Atlassian Jira, Atlassian Confluence and Atlassian Bitbucket systems.

1.2 Support Protocols

The current SSO plugin supports the standard Oauth2 (authorization code) and Okta authentication protocols

2 Operating Instructions

2.1 Operating Environment

SSO-Jira-plugin is available for Jira (V9.0.0) and below, Jira (V7.13.0) and above.

...

SSO-Bitbucket-plugin for Bitbucket (V6.0.0) and below, Bitbucket (V5.0.0) or above.

2.2 Into Plugin Installation Page

2.2.1 Jira to Plugin Installation Page

Click the button in the upper right corner of the main interface of the system to pop up the menu as shown in 2.2.1.1.

...

Click "Manage Applications" in the left menu bar to enter the plug-in installation step.

2.2.2 Confluence to Plugin Installation Page

Click the button in the upper right corner of the main interface of the system to pop up the menu as shown in 2.2.2.1.

...

2.2.2.2 Management Application Page

2.2.3 Bitbucket to Plugin Installation Page

Click the button in the upper right corner of the main interface of the system to pop up the menu as shown in 2.2.3.1.

...

Click the “Manage apps” button in the “Add-ons” section of the system management page to proceed to the plug-in installation procedure.

2.3 Plugin Installation

...

2.3.1 System Plugin Management Page

...

图2.3.7 Plugin installed successfully

2.4 Into Plugin Configuration Page

2.4.1 Jira to Plugin Configuration Page

Click the button in the upper right corner of the main interface of the system to pop up the menu as shown in 2.4.1.1.

...

Click the “SSO Configure” button in the “URANUS SSO” section on the left to enter the plugin configuration steps.

2.4.2 Confluence to Plugin Configuration Page

Click the button in the upper right corner of the main interface of the system to pop up the menu as shown in 2.4.2.1.

...

Click the “SSO Configure” button in the “URANUS SSO” section on the left to enter the plugin configuration steps.

2.4.3 Bitbucket to Plugin Configuration Page

Click the button in the upper right corner of the main interface of the system to enter the system management page as shown in 2.4.3.1. and a second password confirmation will pop up. Please enter the password of the currently logged-in bitbucket account to proceed to the next step.

...

Click the “SSO Configure” button in the “URANUS SSO” section to enter the plugin configuration steps.

2.5 Plugin Configuration

...

2.5.1

...

Okta or Auth2 Config with Atlassian Plugin

Note:This section is supported by Jira Confluence Bitbucket.

...

2.5.1 SSO Configuration Interface

...

(1)Authentication method

Select the authentication protocol accepted by the SSO center.

...

Select here whether to enable SSO login function.

2.5.2 Saml Config with Jira Plugin

Note: that the current Saml protocol only supports use in Jira

Select ssoType, click on select saml, and then save.

...

The following are the configuration options and corresponding attribute introductions for Saml.

...

SpEntityId: SP service, which is the entity ID of the current Jira application. Configure links such as:${baseUrl}/plugins/servlet/igsl/redirect/sso/samlLogin

spAcsUrl: After logging in to the IDM service, this interface will be called for authentication and automatic login. Configure links such as: ${baseUrl}/plugins/servlet/igsl/redirect/sso/samlAcs

spLogoutUrl: SP logout address, which will call IDP logout and then exit the Jira system. Configure links such as: ${baseUrl}/plugins/servlet/igsl/redirect/sso/samlLogout

spX509Cert: SP service refers to the certificate of the server where Jira is currently located.

spPrivateKey: SP service refers to the private key of the certificate of the server where Jira is currently located.

Command to generate certificate and private key:

keytool -genkeypair -alias mykey -keyalg RSA -keystore keystore.jks

keytool -export -alias mykey -keystore keystore.jks -file mycertificate.cer

openssl x509 -in mycertificate.cer -out mycrt.crt

keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -srcstoretype JKS -deststoretype PKCS12

openssl pkcs12 -in keystore.p12 -nocerts -out private_key.pem -nodes

IdpEntityId: idp service entityId, this in metadata.xml. We will introduce it later in Keycloak.

IdpSsoUrl: idp service ssoUrl, this in metadata.xml. We will introduce it later in Keycloak.

IdpLogoutUrl: idp service logoutUrl, this in metadata.xml. We will introduce it later in Keycloak.

IdpX509Cert: idp service cert, this in metadata.xml. We will introduce it later in Keycloak.

...

SecuritySignatureAlgorithm: Algorithm that the toolkit will use on signing process. Options:

http://www.w3.org/2000/09/xmldsig#rsa-sha1
http://www.w3.org/2000/09/xmldsig#dsa-sha1
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
http://www.w3.org/2001/04/xmldsig-more#rsa-sha512

Allow user creation: enable or disable create user.

Is Plugin enabled: enable or disable plugin.

Username Attribute: get saml usernamekey attribute. The bound is Jira's username.

FullName Attribute: get saml fullname attribute. The bound is Jira's fullname.

Email Attribute: get saml fullname attribute. The bound is Jira's email.

Keycloak Config

...

ADFS Config

...

copy to adfs

...

copy to adfs

...

image-20241010-040907.pngImage Added

image-20241010-040936.pngImage Addedimage-20241010-041003.pngImage Addedimage-20241010-041024.pngImage Addedimage-20241010-041045.pngImage Added

get idp xml

${baseUrl}/federationmetadata/2007-06/federationmetadata.xml

...

like this

...

2.6 Skip SSO Login Authenticate URL

Note: URLs that skip SSO login authentication here will use the atlassian product's own account password to login.

2.6.1 Jira

http(s)://<domain>/login.jsp?noJiraUser=true

2.6.2 Confluence

http(s)://<domain>/login.action?noConfluenceUser=true

2.6.3 Bitbucket

http(s)://<domain>/login?noBitBucketUser=true

2.7 User Resignation Interface

2.7.1 Interface Description

Chart1 Description of the user separation interface

Interface Info

API

/plugins/servlet/igsl/operation/sso/userResign

FULL_URL(e.g.)

http://localhost:2990/jira/plugins/servlet/igsl/operation/sso/userResign

Content-Type

application/x-www-form-urlencoded

HTTP Method

POST

Request Parameters

Parameter

Compulsory

Instruction

username

Yes

username resigned employee number username

Return Value

code

0

Succeed

101001

Authorization Code Verification Failure

100001

System Error

100002

System Not Yet Initialized

100003

Function Not Enabled

100005

Abnormal Data or Data Does Not Exist.

msg

Operation Tip Messages

2.7.2 Return Value Example

{

"msg":"用户\"asd123ax\"离职操作成功。",

...