2024年7月
1 Technical Programs
1.1 Plugin Overview
Single Sign On (SSO), is through the user's one-time authentication login. When a user logs in once on the authentication server, he or she can gain access to other associated systems and applications in the single sign on system, at the same time, this realization does not require the administrator to modify the user's login status or other information, which means that in multiple applications, the user only needs to log in once to access all the mutually trusted application systems.
The SSO plugin is the program that introduces SSO authentication forensics and ultimately login in Atlassian Jira, Atlassian Confluence and Atlassian Bitbucket systems.
1.2 Support Protocols
The current SSO plugin supports the standard Oauth2 (authorization code) and Okta authentication protocols
2 Operating Instructions
2.1 Operating Environment
SSO-Jira-plugin is available for Jira (V9.0.0) and below, Jira (V7.13.0) and above.
SSO-Confluence-plugin for Confluence(V7.19.1) and below, Confluence (V7.14.0) or above.
SSO-Bitbucket-plugin for Bitbucket (V6.0.0) and below, Bitbucket (V5.0.0) or above.
2.2 Into Plugin Installation Page
2.2.1 Jira to Plugin Installation Page
Click the button in the upper right corner of the main interface of the system to pop up the menu as shown in 2.2.1.1.
2.2.1.1 System Management Menu
Click "Manage Applications" to enter the application management page as shown in 2.2.1.2, and a second password confirmation will pop up. Please enter the password of the currently logged-in jira account to proceed to the next step.
2.2.1.2 Management Application Page
Click "Manage Applications" in the left menu bar to enter the plug-in installation step.
2.2.2 Confluence to Plugin Installation Page
Click the button in the upper right corner of the main interface of the system to pop up the menu as shown in 2.2.2.1.
2.2.2.1 System Management Menu
Click "Manage Applications" to enter the application management page as shown in 2.2.2.2, and a second password confirmation will pop up. Please enter the password of the currently logged-in confluence account to proceed to the next step.
2.2.2.2 Management Application Page
2.2.3 Bitbucket to Plugin Installation Page
Click the button in the upper right corner of the main interface of the system to pop up the menu as shown in 2.2.3.1.
2.2.3.1 Bitbucket System Management Menu
Click the “Manage apps” button in the “Add-ons” section of the system management page to proceed to the plug-in installation procedure.
2.3 Plugin Installation
2.3.1 System Plugin Management Page
Click the "upload app" button to bring up the plugin upload popup notification as shown in figure 2.3.2.
2.3.3 Plugin upload popup notification
Click the "Select File" button in the popup notification and select the plugin file package to be installed, as shown in Figure 2.3.3.
2.3.3 Select the plugin installation package
Select the plug-in installation package and click the "Open" button in the popup notification in Figure 2.3.3.
2.3.4 Selection of plugin installation package succeeded
Click the "Upload" button to upload the plugin and wait for the installation to be successful.
图2.3.5-6 Wait for plugin installation
图2.3.7 Plugin installed successfully
2.4 Into Plugin Configuration Page
2.4.1 Jira to Plugin Configuration Page
Click the button in the upper right corner of the main interface of the system to pop up the menu as shown in 2.4.1.1.
2.4.1.1 System Management Menu
Click "Manage Applications" to enter the application management page as shown in 2.4.1.2, and a second password confirmation will pop up. Please enter the password of the currently logged-in jira account to proceed to the next step.
2.4.1.2 Management Application Page
Click the “SSO Configure” button in the “URANUS SSO” section on the left to enter the plugin configuration steps.
2.4.2 Confluence to Plugin Configuration Page
Click the button in the upper right corner of the main interface of the system to pop up the menu as shown in 2.4.2.1.
2.4.2.1 System Management Menu
Click "Manage Applications" to enter the application management page as shown in 2.4.2.2, and a second password confirmation will pop up. Please enter the password of the currently logged-in confluence account to proceed to the next step.
2.4.2.2 Management Application Page
Click the “SSO Configure” button in the “URANUS SSO” section on the left to enter the plugin configuration steps.
2.4.3 Bitbucket to Plugin Configuration Page
Click the button in the upper right corner of the main interface of the system to enter the system management page as shown in 2.4.3.1. and a second password confirmation will pop up. Please enter the password of the currently logged-in bitbucket account to proceed to the next step.
2.4.3.1 bitbucket System Management Page
Click the “SSO Configure” button in the “URANUS SSO” section to enter the plugin configuration steps.
2.4.4 Saml Config with Jira Plugin
Select ssoType, click on select saml, and then save.
The following are the configuration options and corresponding attribute introductions for Saml.
SpEntityId: SP service, which is the entity ID of the current Jira application. Configure links such as:
${baseUrl}/plugins/servlet/igsl/redirect/sso/samlLogin
spAcsUrl: After logging in to the IDM service, this interface will be called for authentication and automatic login. Configure links such as: ${baseUrl}/plugins/servlet/igsl/redirect/sso/samlAcs
spLogoutUrl: SP logout address, which will call IDP logout and then exit the Jira system. Configure links such as: ${baseUrl}/plugins/servlet/igsl/redirect/sso/samlLogout
spX509Cert: SP service refers to the certificate of the server where Jira is currently located.
spPrivateKey: SP service refers to the private key of the certificate of the server where Jira is currently located.
Command to generate certificate and private key:
keytool -genkeypair -alias mykey -keyalg RSA -keystore keystore.jks
keytool -export -alias mykey -keystore keystore.jks -file mycertificate.cer
openssl x509 -in mycertificate.cer -out mycrt.crt
keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -srcstoretype JKS -deststoretype PKCS12
openssl pkcs12 -in keystore.p12 -nocerts -out private_key.pem -nodes
IdpEntityId: idp service entityId, this in metadata.xml. We will introduce it later in Keycloak.
IdpSsoUrl: idp service ssoUrl, this in metadata.xml. We will introduce it later in Keycloak.
IdpLogoutUrl: idp service logoutUrl, this in metadata.xml. We will introduce it later in Keycloak.
IdpX509Cert: idp service cert, this in metadata.xml. We will introduce it later in Keycloak.
SecuritySignatureAlgorithm: Algorithm that the toolkit will use on signing process. Options:
http://www.w3.org/2000/09/xmldsig#rsa-sha1
http://www.w3.org/2000/09/xmldsig#dsa-sha1
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
Allow user creation: enable or disable create user.
Is Plugin enabled: enable or disable plugin.
Username Attribute: get saml usernamekey attribute. The bound is Jira's username.
FullName Attribute: get saml fullname attribute. The bound is Jira's fullname.
Email Attribute: get saml fullname attribute. The bound is Jira's email.
Keycloak config:
ADFD config:
copy to adfs
copy to adfs
get idp xml
${baseUrl}/federationmetadata/2007-06/federationmetadata.xml
like this
2.5 Plugin Configuration
2.5.1 SSO Configuration Interface
2.5.1 Configuration Interface Parameter Description
(1)Authentication method
Select the authentication protocol accepted by the SSO center.
(2)client_id
Fill in the client_id for verification and authentication provided by the SSO center.
(3)client_secret
Fill in the client_secret provided by the SSO center for verification and authentication.
(4)Unified Authentication Center URL
Fill in the access URL of the SSO authentication center here.
(5)User role acquisition URL
Fill in the API interface to get the user role here, do not combine with (4) splicing, need to provide the full URL.
(6)Authorization Code URL
Fill in the URL used by SSO center to log in and get the code, and combine it with (4), need to provide the name of client_id.
(7)GetToken URL
Fill in the SSO center verification code, and provide the API interface of token after authentication according to the code, client_id and client_secret, and combine it with (4).
(8)User information acquisition URL
Fill in the API interface that provides user information after the SSO center authenticates the token, and combine it with (4).
(9)Logout URL of unified authentication platform
Fill in the API interface of SSO center for logging off the user's login status, and combine it with (4).
(10)
System identification code Fill in the system identification code of SSO center here, and the system identification code previously specified is Jira.
(11)Resignation interface parameters
Select the resignation interface parameter as the parameter, and use the default username.
(12)Username parameter
Select which parameter to get username data to configure when getting user information, the default is username.
(13)displayName parameter
Select which parameter to get displayName data to configure when getting user information, the default is name.
(14)emailAddress parameter
Select which parameter to get email data to configure when getting user information, the default is email.
(15)Whether to open the resignation interface
Select whether to enable the resignation function.
(16)Whether users are allowed to be created
Select whether to enable the function of creating a new user by using the parameters in (12), (13) and (14) when the user does not exist during SSO login.
(17)Whether to turn on login interception
Select here whether to enable SSO login function.
2.6 Skip SSO Login Authenticate URL
Note: URLs that skip SSO login authentication here will use the atlassian product's own account password to login.
2.6.1 Jira
http(s)://<domain>/login.jsp?noJiraUser=true
2.6.2 Confluence
http(s)://<domain>/login.action?noConfluenceUser=true
2.6.3 Bitbucket
http(s)://<domain>/login?noBitBucketUser=true
2.7 User Resignation Interface
2.7.1 Interface Description
Chart1 Description of the user separation interface
Interface Info | ||
API | /plugins/servlet/igsl/operation/sso/userResign | |
FULL_URL(e.g.) | http://localhost:2990/jira/plugins/servlet/igsl/operation/sso/userResign | |
Content-Type | application/x-www-form-urlencoded | |
HTTP Method | POST | |
Request Parameters | ||
Parameter | Compulsory | Instruction |
username | Yes | username resigned employee number username |
Return Value | ||
code | 0 | Succeed |
101001 | Authorization Code Verification Failure | |
100001 | System Error | |
100002 | System Not Yet Initialized | |
100003 | Function Not Enabled | |
100005 | Abnormal Data or Data Does Not Exist. | |
msg | Operation Tip Messages |
2.7.2 Return Value Example
{
"msg":"用户\"asd123ax\"离职操作成功。",
"code":0
}