Application Links not working behind third party SSO
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Problem
Application links configured on Atlassian Appliactions that run behind a third party SSO application is not working.
If you are trying to link Jira to a Confluence instance, or to another Jira instance, while running behind a third party SSO, Jira initiating the Application link will report errors while trying to setup the application link.
Enabling debug logging on org.apache.http package shows logs similar to below:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
[http.conn.ssl.SSLConnectionSocketFactory] Starting handshake
[http.conn.ssl.SSLConnectionSocketFactory] Secure session established
[http.conn.ssl.SSLConnectionSocketFactory] negotiated protocol: TLSv1.2
[http.conn.ssl.SSLConnectionSocketFactory] negotiated cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
[http.conn.ssl.SSLConnectionSocketFactory] peer principal: CN=jira.example.com, OID.2.5.4.72=XXX, T=XXX - XXXXXXX, OU=XXXXXXXXXX, O=XXX
[http.conn.ssl.SSLConnectionSocketFactory] issuer principal: CN=OOOOOOOO, OU=OOOO, OU=OOOOOOOOOOO, O=OOO
[http.impl.conn.DefaultHttpClientConnectionOperator] Connection established 10.1.1.4:51460<->10.1.1.2:443
[http.impl.conn.DefaultManagedHttpClientConnection] http-outgoing-2276: set socket timeout to 10000
[http.impl.execchain.MainClientExec] Executing request GET /plugins/servlet/oauth/consumer-info HTTP/1.1
[http.impl.execchain.MainClientExec] Target auth state: UNCHALLENGED
[http.impl.execchain.MainClientExec] Proxy auth state: UNCHALLENGED
[org.apache.http.headers] http-outgoing-2276 >> GET /plugins/servlet/oauth/consumer-info HTTP/1.1
[org.apache.http.headers] http-outgoing-2276 >> Accept: application/xml
[org.apache.http.headers] http-outgoing-2276 >> Host: Jira.local
[org.apache.http.headers] http-outgoing-2276 >> Connection: Keep-Alive
[org.apache.http.headers] http-outgoing-2276 >> User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_102)
[org.apache.http.headers] http-outgoing-2276 >> Accept-Encoding: gzip,deflate
[org.apache.http.wire] http-outgoing-2276 >> "GET /plugins/servlet/oauth/consumer-info HTTP/1.1[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 >> "Accept: application/xml[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 >> "Host: jira-cmt.staging.echonet[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 >> "Connection: Keep-Alive[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 >> "User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_102)[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 >> "Accept-Encoding: gzip,deflate[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 >> "[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 << "HTTP/1.1 302 Found[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 << "Date: Tue, 09 Oct 2018 08:31:22 GMT[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 << "Cache-Control: no-store, max-age=86400[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 << "Location: https://ssoapp.local/login_page"
[org.apache.http.wire] http-outgoing-2276 << "Expires: Wed, 10 Oct 2018 08:31:22 GMT[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 << "Content-Length: 437[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 << "Keep-Alive: timeout=10, max=400[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 << "Connection: Keep-Alive[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 << "Content-Type: text/html; charset=iso-8859-1[\r][\n]"
[org.apache.http.wire] http-outgoing-2276 << "[\r][\n]"
[org.apache.http.headers] http-outgoing-2276 << HTTP/1.1 302 Found
[org.apache.http.headers] http-outgoing-2276 << Date: Tue, 09 Oct 2018 08:31:22 GMT
[org.apache.http.headers] http-outgoing-2276 << Cache-Control: no-store, max-age=86400
[org.apache.http.headers] http-outgoing-2276 << Location: https://ssoapp.local/login_pageDiagnosis
Environment
Two or more Atlassian applications are to be linked together, eg: Jira and Confluence or Jira to another Jira, etc.
At least 1 of the 2 Atlassian applications is integrated with a third party SSO.
Diagnostic Steps
Enable debug logging on the package: org.apache.http, and inspect the logs for redirects that are not expected.
Cause
The SSO third party application will intercept any requests coming to the Atlassian application without a legit identity token, and will redirect that request to the SSO application login page.
This behavior is not expected by the Atlassian application, the applications are not designed to handle the redirect, and will not be able to communicate with the third party SSO application.
Thus the handshake for creating the Application link will fail.
Solution
Workaround
There are 2 things we can do to come around this problem:
In order to avoid the whole situation, the SSO application needs to be configured to skip intercepting certain URLs that are used for application links functionality; that is to white list those URLs from the SSO application side.
This will ensure that the Atlassian application starting the Application Link handshake; doesn’t get an unexpected redirect.
Below is the list of URLs to be white listed:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15/plugins/servlet/oauth/access-token /plugins/servlet/oauth/request-token /plugins/servlet/oauth/consumer-info /plugins/servlet/streams /plugins/servlet/applinks/whoami /sr/jira.issueviews:searchrequest /secure/RunPortlet /rest /rpc/soap /download/resources/com.duosecurity.jira.plugins.duo-twofactor:resources/ /download/resources/com.duosecurity.confluence.plugins.duo-twofactor:resources/ /rest/gadget/1.0/login /rpc/xmlrpc /pages /displayPlease note that, this will mean that any access to those URLs will not go through the SSO application.
Another way is also to white list all the Atlassian application(s) server IP addresses on the SSO application side, this way only requests between applications will not go through SSO, while all other external requests will pass through the SSO application.
Was this helpful?