WebSudo reverification

Owned by Eirik Bjørsnøs
Last updated: Jun 16, 2020 by Lars Olav Velle (Unlicensed)
2 min read

Overview

Jira and Confluence includes a security feature called Secure Administrator Sessions, also known as WebSudo.

WebSudo requires that users reverify their administrative credentials before being allowed to perform administrative tasks.

This tends to cause problems for users signing in with Single Sign-on like SAML, since these users often do not have any password in Jira or Confluence.

This article shows alternative ways Polar SSO allows an administrator to verify on WebSudo.

Regular password confirmation

First, let's review how the WebSudo feature normally works in Jira, without any extra features provided by Polar SSO.

WebSudo takes effect whenever an administrator users tries to access an administrative page:

Jira then requires that the user conform their administrator credentials by typing their password:

Confirming with SAML

Polar SSO allows users logging in using SAML to reverify using SAML when accessing a WebSudo protected page. 

When supported by the SAML provider, and enabled by Polar SSO configuration, the user sees a Confirm using option which allows them to sign in with their provider: 

 

In this example, the user chooses to confirm using their SAML provider which in this case is Azure AD:

The user clicks Verify and gets redirected to Azure AD where they are required to authenticate:

When the user returns, Polar SSO verifies that Azure AD authenticated the user and accepts that as a WebSudo confirmation.

Confirming with FIDO user verification

Users who have enrolled an extra verification factor may use their enrolled factor to confirm in WebSudo:

 

This works with any enrolled verification factor which supports user verification, such as  Windows Hello, MacOS Touch ID, Android phone or security keys supporting PIN or fingerprint verification.

Confirming with an Authenticator App

Finally, users who have enrolled an authenticator app may use the six-digit code generated by the app on their phone to confirm with WebSudo:

 

See it in action

See how WebSudo reverification works using SAML (Google G Suite), a USB security key (with fingerprint) and a phone app.

Learn more