• Article
  • Jun.5.2018

What is the next trend in the evolution of password management?

  • Jun.5.2018
  • Reading time mins

This guest blog was written by Luciana Perondini, Chief Marketing Officer at resolution GmbH.

In the last couple of years, with the rise of smartphone and cloud technologies, computers and applications went literally in everyone’s pocket. At the same time, companies started adopting multiple device access to allow employees to login into their accounts from everywhere, during business trips and even from home.

Enterprises using Atlassian applications like Jira and Confluence have three major challenges managing credentials for accounts and instances, since they also have to manage these accounts in addition to their basic identity and access management. For IT administrators, it can become a nightmare in terms of IT support.

The three major password issues

More than ever, employees need a quick and secure way to access all their applications at work, including Jira, Confluence, Bamboo and Bitbucket. IT departments also have to manage Atlassian applications credentials. Both the users and the administrators face three major issues:

  1. Re-login: Employees usually have to re-enter passwords for Atlassian applications when reopening a session or restarting the computer, which consumes time and  energy. Employees who want access to Atlassian applications from other devices also have to re-login.
  2. The security problem: Many employees want to use the same password for their work and personal accounts. Likewise, many users choose weak passwords in order to remember them easily when accessing the applications. Both of these bad practices  can pose a security threat.
  3. Overloaded IT departments: Once employees have to deal with different credentials, they might forget them and require assistance from the IT support team to reset or resend their passwords.

In addition to these common issues, there is also the fact that many enterprises might use different Atlassian instances, so employees  have to access different accounts for the same Atlassian application. Clearly, enterprises need a single login application to allow for efficient identity and access management.

The app that solves these problems is the SAML Single Sign On Plugin for Atlassian applications by resolution GmbH.

What is the SAML Single Sign On app?

SAML Single Sign One app (or SAML SSO app) is an app for Jira Core, Jira Software, Jira Service Desk, Confluence, Bitbucket and Bamboo that delegates authentication to the SAML 2.0 identity provider (IdP) of your choice, whether OKTA, Onelogin, G Suite/Google Apps, Salesforce, Microsoft AD FS, Azure AD, Shibboleth or Ping.  The app also allows configuration of multiple identity providers.

The app is an easy and straightforward solution that allows SAML SSO to manage the exchange between the Atlassian application and identity provider, so that your employees don’t have to spend their time retyping  passwords. In addition, the app allows IT administrators to manage employees’ Atlassian credentials directly from identity provider interface, using only a name and an email address.

For each Atlassian application, it’s necessary to install the respective SAML SSO app, such as the SAML SSO  for JiraSAML SSO for ConfluenceSAML SSO for Bitbucket or SAML SSO for Bamboo. In addition, the app is only compatible with Atlassian Server applications (which allow you to configure your own domain) and Data Center.

Five advantages of using the SAML SSO app

Why should you use this app, even if you still have resources for identity and access management? There are five main advantages that will help increase your productivity:

  1. Save IT resources: IT administrators can save time on support requests related to the creation of multiple accounts for Atlassian applications, password changes and user provisioning.
  2. Save time: The SAML SSO app helps employees of all departments save time with logins and password requests and updates, which impacts in the entire enterprise’s productivity. On average, one IT administrator spends 15 minutes with password management per employee. Imagine how much time an IT administrator can save in a company with 500 employees!
  3. Centralized identity & access management: Anyone who logs into their computer, whether in the office, remotely, on a laptop or mobile, immediately has access to all their applications. No more manual log-ins, no more two factor authentication sending codes to smartphones, as well as no more password resets. A single registry of user IDs with a centralized management interface allows quick and easy provisioning and deactivating of user accounts. With SAML SSO, user can be created and updated during login based on data provided by the SAML identity providers. Centralized user management is possible without attaching Jira or Confluence to a LDAP and Crowd directory.
  4. Increased security: Authentication is delegated to the SAML identity provider, so advanced authentication methods on the IdP also apply to Jira and Confluence. For example, if an employee loses a laptop or cell phone with a password automatically stored on the devices, the IT team can efficiently disable access to the user’s account.
  5. Provide one-time login with the right access: The SAML SSO app allows you to configure the access based on employees’ role, department and seniority. This provides visibility and transparency for your team. This can prevent certain documents and applications designated solely to senior employees from being accessible to junior employees, while still providing junior employees the tools and information they need to perform their basic tasks.

How the SAML SSO app works

Since security and usability are important factors in adopting a new product, it’s important to highlight here the functionality of the SAML SSO app with nine  easy steps.

Step 1: User tries to reach an Atlassian application

A user requests access to Jira, Confluence, Bitbucket or Bamboo login page.

Step 2: SAML SSO app generates SAML request

The app recognizes the user request and will redirect the user to single sign on servlet (at https://<baseurl>/plugins/servlet/samlsso) to start the authentication process. Action for user: Activate “Enable SSO Redirect” in the configuration page. Otherwise, the servlet on the URL above has to be called explicitly to perform SSO.

Step 3: SAML SSO app redirects browser with The SAML-Request to identity provider

The SAML SSO-Servlet creates SAML-Request and redirects to the identity provider.

Step 4: Identity provider parses SAML-Request, authenticates user

The identity provider decodes the SAML-Request and performs the user authentication.

How this is done depends on the identity provider configuration. It can be just username/password, NTLM or any other method of authentication.

Step 5: Identity provider generates SAML-Response containing user information

The identity provider creates a SAML-Response with user information.

Step 6: Identity provider redirects browser with SAML-Response to SAML SSO app

If the authentication succeeds, the identity provider returns an HTML form. This form contains the BASE64-encoded response from step 6 and the SAML SSO-Servlet-URL (https://<baseurl>/plugins/servlet/samlsso) as destination URL. It also contains a piece of JavaScript which lets the browser submit this form instantly (so the user usually will not see the form).

Step 7: SAML SSO app verifies SAML-Response

The SAML SSO-servlet receives the form data and decodes the response. The response from Step 6 contains a digital signature which is validated against the certificate set in the app configuration. The user ID and other user information is extracted from the XML.

Step 8: SAML SSO app creates or updates the user if configured

If enabled, the user is created or updated using the data extracted from the response.

Step 9: User is logged into Atlassian application

The app tries to load the user from the Confluence/Jira user directory. If this is successful, a session is established (similar to what happens after the user has successfully entered his credentials into the login form) and the user is redirected to the originally requested URL.

Want to know more or try the SAML SSO app?

If you want more information or want our technical support to configure the SAML SSO app quickly with you, especially, if you have complex IT system environments (enterprise level), you can schedule an individual live screenshare directly with your technical support colleagues here or have a personal pre-sales consultation (via phone or email) directly with our account manager here.

Otherwise you can also visit our vendor page in the Atlassian Marketplace to have a complete overview of our SAML SSO apps and evaluate them directly for up to 90 days for FREE!

Try the apps by resolution

Related resources

View all resources