Hi @Ed Letifov _TechTime - New Zealand_ ,

thank you for that explanation.

In the past, I was involved in a project, where the browser (-> Chrome/Edge) provided the username of the Windows logged in user to the website. The website then addressed the IdP and the login process was automatically done - I suppose according to your description.

I am not a browser or authentication expert. Is there a way that the browser can automatically provide the "identity" of the logged in user to Jira Cloud?

Today, every morning I go to our Jira Cloud site, I only have to click on the "Microsoft"-button, then I have to click on my email address (-> Azure AD) and then I am logged in.

Within Atlassian Access, the session time out is set to 8h. 

There must be some cookies around, as this works on any computer, not just my business laptop.

Chris

@Christian Schneider 

I represent TechTime a vendor for EasySSO app, performing SSO using IWA for Server and Data Center Atlassian applications.

Is there a way that the browser can automatically provide the "identity" of the logged in user to Jira Cloud?

Short answer: no.

Long answer: the browser NEVER provides the username. On access to the service (e.g. Jira), the services challenges the browser to provide authentication – using either NTLM or SPNEGO protocol (which usually results in Kerberos being negotiated). In both cases what browser sends is an encrypted token, that does not contain identity which then is passed to the Domain Controller and that yeilds the username.

Cloud, being a SaaS platform shared between all of us, can't possibly talk to your  or mine or everyone's domain controllers, so neither NTLM nor Kerberos will ever be implemented.

Today, every morning I go to our Jira Cloud site, I only have to click on the "Microsoft"-button, then I have to click on my email address (-> Azure AD) and then I am logged in.

So, this is even "worse" – this is a completely different SSO flow, as this "Microsoft" button doesn't use Atlassian Access at all. This is a "web SSO" where the identify provider can be Microsoft, Apple, Facebook, Twitter... here the Identity Provider ALWAYS sends back you email to the Service Provide (Cloud). Atlassian just happens to use the email as the username so it works.

I mean in the end users don't care, but none of the settings you apply to "Atlassian Cloud" enterprise application in Azure AD that is associated with Atlassian Access SSO will influence this particular "web SSO" flow.

True SAML SSO with Azure AD via Atlassian Access will be invoked (assuming you've claimed your domain and configured everything correctly) if instead of clicking the button and then typing the email into Azure AD login screen, you type your email into Atlassian login screen first – this is the moment it realises you belong to the organisation that claimed this email domain, and if you fall under SSO policy – redirects you to Azure AD.

Dear @Ivan Lima

thank you for your support. I thought about it over the weekend: when opening our cloud site in the morning, I have to enter my email address. After confirmation, I get logged in without providing the password. The Azure-connection seems to work as expected.

I remember a setting within the IDP config, where you can define, how long a session is valid. This is currently set to "8h after last activity". So, as long as I do open the site before the 8h are timed out and if the browser does not delete session cookies (?), Pass Through Authentication seems to work.

I am wondering, if I can change the behavior, so that the session never expires for our internal customer portal users - or better: that the session is re-newed whenever they open the customer portal. The Edge browser should hand on the Windows credentials and log them in automatically.

Chris

please note: logging into the site with different credentials as the Windows client is not possible. (Only in a private mode browser window.)

Hi Chris,

We are using Jira Server and trying to integrate it into AD with a Real Passthrough Authentication.  We're accessing it via ADFS but would like to know what 3rd party app did you guys use to enable real passthrough authentication.  We need our users to open a browser and be automatically signed in with their AD credentials w/o being challenged.

Thanks.

@Vitaly P 

For "real passthrough authentication" ie. "Integrated Windows Authentication" you need one of the apps that supports Kerberos and NTLM. 

Take a look at our EasySSO for Jira.

Your main challenge will be to evaluate it on Server (as Atlassian doesn't let one generate any new Server licenses, including evaluations). Please reach out to our 24x7 support to discuss.

Hi @Vitaly P ,

on Server, we had used this app: SAML Single Sign On (Jira SSO) Jira SAML SSO OIDC+ User Sync | Atlassian Marketplace.

It worked perfectly fine and the configuration options are very extensive.

I inherited the app from my predecessor and I never fully understood it. :-)

In your case, I would not invest much time in Jira Server. You either have to migrate to Jira Cloud or to Jira Data Center. A word of warning: Jira Cloud offers some cool new features, but it misses a lot of features that are very basic in Jira Server. The migration process is very, very, very painful. (If you only have a couple of projects and not extensive scripting, you will be fine. If you use Jira Insight with some import jobs, Scriptrunner or JMWE, complex workflows, this is, where it gets ugly.)

Hi @Christian Schneider ,

We use Data Center (Academic) edition. I will take a look.  I was also advised to try miniOrange.

Thanks.

Hi @Ed Letifov _TechTime - New Zealand_

I will take a look.

Thanks.