Bypassing Okta to allow users to login to Jira locally.
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
When Jira is configured with Okta, the redirection prevents users from locally authenticating.
Environment
Jira instances with the Okta Jira Authenticator installed.
Diagnosis
Users who try to login to Jira are redirected to Okta.
No users are able to login locally, even if the steps from Bypass SAML authentication for Jira Data Center are taken.
You are configuring Okta SSO integration in Jira using the steps mentioned in Okta Jira Authenticator Configuration Guide
Cause
The users in question are not included in the users or groups within the okta-config-jira.xml file and therefore are being pushed to the Okta login page.
Okta in Jira operates with a combination of a jar file, plus two configuration files, that supersede Jira's normal login paths and Authentication Fallback Mechanisms.
These files and parameters are added to Jira manually by the Jira administrator in order to help facilitate login requests and send users to the correct login page.
Solution
1 . Add the user, or group, to the okta-config-jira.xml file so that the users, who must use local authentication, are able to.
For example:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
...
</applications>
...
<!--If this section defined, SP flow can be disabled for users,
listed below. In this case they will be forced to login using their login/pass. -->
<!--
<spUsers>
<username>user1</username>
</spUsers>
-->
<!--If this section defined, SP flow can be disabled for users assigned to groups in Jira,
listed below. In this case they will be forced to login using their login/pass. -->
<spGroups>
<groupname>jira-administrators</groupname>
<groupname>jira-software-users</groupname>
<groupname>jira-users</groupname>
</spGroups>
<!-- If this section defined, authenticator won't be used for URLs listed below -->
<spUrls>
<url>/login.jsp</url>
</spUrls>
<oktaProtectedUrls>
...
<oktaProtectedUrls>ℹ️ Replace user1 to the local admin user username.
2. Restart Jira service.
3. Access Jira with <Jira-Base-URL>/login.jsp → redirect to the Jira default login page.
More information is available at Okta Jira Authenticator Configuration Guide and we recommend reaching out to the Okta team for further questions.
Was this helpful?