Using the external-login endpoint with Multiple IdPs
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
With the earlier versions of SSO for Atlassian Server and Data Center plugins, there was an option to set SSO as secondary authentication.
When the SSO was configured as secondary authentication, it had to be accessed using end point /plugins/servlet/external-login. Many customers used this, to setup a end user portals (Non IDP), which would have many applications as Icons for the user to chose from. Jira is one them. These icons would point to JIRA_BASE_URL/plugins/servlet/external-login URL, which would cause Jira to initiate SSO login for the user.
Environment
SSO for Atlassian Datacenter version 4.20 and later
Diagnosis
As part of the changes introduced with version 4.2.0 the /plugins/servlet/external-login endpoint does not function without a database ID of an identity provider.
Cause
SSO for Atlassian Server and Data Center plugin version 4.2.0 introduces support for Multiple IdPs.
With this, the option to configure hidden identity providers like in secondary authentication was removed - if an identity provider is configured they will be usable.
Solution
In certain situations when the environment does not want to the end users to select which IDP to use, the endpoint /plugins/servlet/external-login can be used with the database ID of the IdP config. For example, in the below situation, the endpoint /plugins/servlet/external-login/1 would start the SSO flow for identity provider with name SAML config. The IdP date is stored in the AO table AO_ED669C_IDP_CONFIG. It can also be obtained by issuing a GET request to the /rest/authconfig/1.0/idps endpoint.
Similarly the endpoint /plugins/servlet/external-login/2 would start the SSO flow for the identity provider OpenID.
As an alternative portals can be implemented by using login URL of the application (for example login.jsp in case of Jira). If there is only one IdP defined and login form is disabled, this will trigger the SSO flow for the sole IdP. If there are multiple ways of logging in (ie login form is enabled or multiple IdPs are configured), this will render a login gateway where the preferred authentication method can be selected.
Was this helpful?