Shibboleth Authenticator for Jira

Requirements

• apache 2.2
• tomcat 5.5
• jira 3.8
• jira is installed NOT as root webapp
• download at http://www.federation.org.au/twiki/bin/view/Federation/SoftwareDownload

Compilation (optional)

• run "ant clean", then "ant compile", then "ant package"

Deployment

1. copy the dist/*.jar to your jira/WEB-INF/lib (if you use jira unexploded war deployment mode, you need to put the jar into source jira download folder)
2. modify conf/jiraShibAuthenticator.properties according to your needs
3. copy jiraShibAuthenticator.properties to jira/ WEB-INF/classes
4. modify seraph-config.xml in your jira/WEB-INF/classes

<!-- note that https://www.mams.org.au/Shibboleht.sso/WAYF/level-2.federation.org.au
can be replaced with whatever your WAYF location or an IdP location -->

        <init-param>
            <param-name>login.url</param-name>
            <param-value>https://www.mams.org.au/Shibboleth.sso/WAYF/level-2.federation.org.au?target=/jira/secure/Dashboard.jspa?os_destination=${originalurl}</param-value>
        </init-param>

        <init-param>
            <param-name>link.login.url</param-name>
            <!-- <param-value>/secure/Dashboard.jspa?os_destination=${originalurl}</param-value> -->
            <param-value>https://www.mams.org.au/Shibboleth.sso/WAYF/level-2.federation.org.au?target=/jira/secure/Dashboard.jspa?os_destination=${originalurl}</param-value>
        </init-param>


        <init-param>
            <param-name>link.logout.url</param-name>
            <param-value>https://www.mams.org.au/Shibboleth.sso/Logout?return=/jira/secure/Logout!default.jspa</param-value>
        </init-param>

        <init-param>
            <param-name>logout.url</param-name>
            <param-value>https://www.mams.org.au/Shibboleth.sso/Logout?return=/jira/secure/Logout!default.jspa</param-value>
        </init-param>

        
    <!--  <authenticator class="com.atlassian.seraph.auth.DefaultAuthenticator"/> -->
    <authenticator class="au.edu.mq.melcoe.mams.jira.JiraShibAuthenticator"/>

5) configure your SP AAP.xml by mapping appropriate headers (pay attention to step #2). Most likely headers you need:

• REMOTE_USER
• FULL_NAME
• EMAIL
• whatever dynamic roles' headers

6) modification on apache's configuration. This assumes you're using mod_jk. For instruction using mod_proxy, check here

1. mount jira to apache

   JKMount /jira* jiraWorker

b. protect jira with shib lazy session

    <Location /jira>
        AuthType shibboleth
        ShibRequireSession Off
        require shibboleth
    </Location>

7) modify workers.properties for JK connector (make sure jiraWorker is in worker list)

         worker.list=xWorker confluenceWorker jiraWorker
         worker.jiraWorker.type=ajp13
         worker.jiraWorker.host=localhost
         worker.jiraWorker.port=8010

8) modify tomcat's server.xml entry to include (find where port 8009 and copy it into below).if you're using tomcat5.5 or above, you may want to put tomcatAuthentication="false" entry and strip the "request." section. This has changed in recent tomcat, refer to your tomcat manual for detail.

    <Connector port="8010" address="127.0.0.1" request.tomcatAuthentication="false"
               enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />

9) restart tomcat and try to click on the login link

10) if you'd like to see some loggings, add the following lines in your jira/WEB-INF/classes/log4j.properties

log4j.category.au.edu.mq.melcoe.mams= DEBUG, console, filelog
log4j.additivity.au.edu.mq.melcoe.mams = false

Questions? Send us email at support AT federation DOT org DOT au
to top