Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

SSO with Crowd not working

Erkki_Aalto
Erkki_Aalto
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 26, 2014

We have (for time being experimental) Crowd and Confluence with SSO working (with Crowd Shibboleth authenticator). Now we are trying to add JIRA to the system. Authentication from Crowd with local username works in Jira, but SSO (that Shinboleth authentication needs) does not work in Jira. In debug log there is error message:   INVALID SSO TOKEN Token doesn't match the existing token

We have changed the authenticator in seraph-config.xml. Any ideas where to look for the difference between Confluence and Jira?

Answer
Watch
Like Be the first to like this
1105 views

4 answers

1 accepted

0 votes
Answer accepted
Erkki_Aalto
Erkki_Aalto
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 30, 2014

Found it. The test Confluence and test Crowd were using HTTP proxy, but the test JIRA was using AJP proxy.

Therefore there was a difference in remote addresses and the SSO cookies were invalid.

Reply
1 vote
Justin Justin7
Justin Justin
Contributor
November 28, 2014

I do not have the answer to your Shibboleth question, but since you say it is experimental, here's a possible alternative solution to your SSO needs. http://www.appfusions.com/display/KBRSCJ/Home 

Reply
0 votes
Erkki_Aalto
Erkki_Aalto
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 30, 2014

Here is a snip from Crowd logs: 2014-12-01 09:48:14,427 http-bio-8095-exec-20 DEBUG [crowd.manager.authentication.TokenAuthenticationManagerImpl] Current Validation Factors: ValidationFactor[remote_address=128.214.229.20] 2014-12-01 09:48:14,427 http-bio-8095-exec-20 DEBUG [crowd.manager.authentication.TokenAuthenticationManagerImpl] comparing existing token Token{identifierHash='7dWKwNE6vaxz1TWMxrARvg00', lastAccessedTime=1417419581224, createdDate=2014-12-01 09:22:18.785, duration=null, name='aalto@helsinki.fi', directoryId=32770} with a validation token Token{identifierHash='b8XOnwiNUA1MFFmkQq1hAg00', lastAccessedTime=1417420094427, createdDate=Mon Dec 01 09:48:14 EET 2014, duration=null, name='aalto@helsinki.fi', directoryId=32770} 2014-12-01 09:48:14,427 http-bio-8095-exec-20 DEBUG [crowd.manager.authentication.TokenAuthenticationManagerImpl$TokenValidationFailure] Existing token 'pfBVqHdoyBAfLBtMTn1u8g00' for user 'aalto@helsinki.fi' does not match new token 'FqtI1Ix4yCjdcQZGFQYW0g00' with validation factors 'ValidationFactor[remote_address=128.214.229.20]' 2014-12-01 09:48:14,427 http-bio-8095-exec-20 DEBUG [crowd.manager.authentication.TokenAuthenticationManagerImpl] The token keys don't match 2014-12-01 09:48:14,428 http-bio-8095-exec-20 DEBUG [crowd.console.filter.CrowdOpenSessionInViewFilter] Closing Hibernate Session in OpenSessionInViewFilter 2014-12-01 09:50:00,013 scheduler_Worker-0 DEBUG [atlassian.crowd.file.DaoRefresher] Refreshing refreshable DAOs

Reply
0 votes
Erkki_Aalto
Erkki_Aalto
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 30, 2014

I looked at the logs of the crowd server. It can be seen that first the Confluence tries to validate the session and succeeds. Then the Jira sends a similar request but gets a 400: 128.214.205.241 - - [01/Dec/2014:08:42:02 +0200] "POST /crowd/rest/usermanagement/1/session/BBJQUhcXUxFQW669iUsKug00 HTTP/1.1" 200 512 128.214.205.241 - - [01/Dec/2014:08:42:03 +0200] "GET /crowd/rest/usermanagement/1/session/BBJQUhcXUxFQW669iUsKug00?expand=user HTTP/1.1" 200 1027 128.214.214.218 - - [01/Dec/2014:08:42:16 +0200] "POST /crowd/rest/usermanagement/1/session/BBJQUhcXUxFQW669iUsKug00 HTTP/1.1" 400 162 128.214.214.218 - - [01/Dec/2014:08:42:16 +0200] "POST /crowd/rest/usermanagement/1/session/BBJQUhcXUxFQW669iUsKug00 HTTP/1.1" 400 162 128.214.214.218 - - [01/Dec/2014:08:42:16 +0200] "POST /crowd/rest/usermanagement/1/session/BBJQUhcXUxFQW669iUsKug00 HTTP/1.1" 400 162 Any ideas?

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.