Deny password login

Owned by Lars Olav Velle (Unlicensed)
Mar 15, 2022
2 min read

Overview

When setting up Single Sign-on with SAML or Kerberos, it is often desirable to tighten security further by preventing users from logging in using the traditional username and password method. This article shows how to configure a 'Deny login' policy to prevent this type of login. We'll configure the policy to only affect users who are attempting to log in from outside the 'Office' network zone.

Adding a policy

Start by visiting the Policies page and clicking the Add policy button:

Select the Deny login policy type, then click Add

Give the policy a name which in a few words describes the purpose of the policy:

Conditions

Use the conditions section to to exclude the network location 'Office' and the 'username/ password' 'Login method'.

Running a test evaluation

Once you policy has been added, you might want to perform a simulated login to verify that the policy matches the login conditions you expect. Click the Simulate policy evaluation link on the Policies page:

End user experience

When a password login is attempted from outside the network zone 'Office', the end user will be notified that the login attempt was denied by their organization's policy.

When logging in from the Jira dashboard login gadget, the user will see the message 'You do not have a permission to log in'.  

Learn more