View
9
Download
0
Category
Preview:
Citation preview
Confidence – Competence – Innovation
Secure Login for Bamboo
Administrator'sGuideSecureLoginforBamboo
SecureLogin-Administrator'sGuideSecureLoginforBamboo
2
Add-onInstallation
BeforeyoubeginToinstalltheSecureLoginPlugin,youmustlog-inwithBambooAdminpermissions
InstallingSecureLoginviatheUPM
1. ClicktheadmindropdownandchooseAtlasssianMarketplace.TheManageadd-onsscreenloads.
2. ClickFindnew-add-onsontheleft-handsideofthepage.
3. Searchfor"SecureLoginforBamboo".Theappropriateadd-onversionappearsinthesearchresults.
4. ClickTryfreetobeginanewtrialorBuynowtopurchasealicenseforSecureLoginforBamboo.You'repromptedtologinintotheMyAtlassiancustomerself-serviceportal.Then,SecureLoginforBamboobeginstodownload.
5. EnteryourinformationandclickGeneratelicensewhenredirectedtoMyAtlassian.
6. ClickApplylicense.Ifyou'reusinganolderversionofUPM,youcancopyandpastethelicenseintoyourBambooinstance.
7. Configuretheadd-onaccordingtosection"StandardConfiguration"(seebelow).
InstallingSecureLoginviatheAtlassianMarketplace
DownloadtheJAR-File
1. OpentheAtlasssianMarketplacewithinyourpreferredbrowser.
2. EnterSecureLoginforBamboowithinthesearchboxbelowthetitle"ExploreappsforAtlassianproducts".Theappropriateadd-onversionappearsinthesearchresults.
3. ClickTryfreetobeginanewtrialorBuynowtopurchasealicenseforSecureLoginforBamboo.You'repromptedtologintoMyAtlassian.
4. ClickGenerateLicenseinordertogenerateanewlicense
5. CopythelicensekeyandclickDownload.
6. SavetheJAR-fileonyourlocaldisk.
InstalltheJAR-File
1. SwitchintotheadministrationofBambooandchooseAdd-Ons.TheManageadd-onsscreenloads.
SecureLogin-Administrator'sGuideSecureLoginforBamboo
3
2. ClickUploadAdd-onandselecttheJAR-file.ThepluginisinstalledanddisplayedintheUser-InstalledAdd-ons.
3. EnterthelicenseandclickUpdate.
StandardConfigurationInthissectiontheadd-on/appwillbeactivatedwithstandardvaluesonly.
Activate"SecureLogin"afterinstallation
1. SelectAdd-onswithintheAdministrationareaofBamboo.
2. NavigatetotheSecureLoginsectionontheleft-handsideofthepage(figure1,step1).
3. ClickonPluginConfiguration(figure1,step2).
FIGURE1:CONFIGURATIONOFTHESECURELOGINAPP
4. Byclickingonthatmenuitem,theadd-on/appconfigurationopens,butSecureLoginisdeactivatedbydefaulttoavoidlockupofusersbymis-configurationswithregardtoyourconcreteenvironment.Ifthedefaultconfigurationmatchesyourneeds,pleaseactivatethe2-factorauthenticationviathecheckbox"SecureLoginactivated"(figure2,step1)andapplythatbyclickingonthebuttonSaveconfiguration(figure2,step2).
SecureLogin-Administrator'sGuideSecureLoginforBamboo
4
FIGURE2:ACTIVATIONOFTHECONFIGURATION
TOTPConfiguration
FIGURE3:TOTPANDCONTEXTWHITELISTCONFIGURATION
Thesection"TOTPsettings"containstheconfigurationparametersfortheTOTPprotocol.Ifyoudonothaveanyspecialneeds,werecommendtousetheGoogleDefaultsettings,whichworkwelltogetherwithallcommon2FAauthenticatorsonthemarket.IfyouchangedthatsettingsandwanttoreturnbacktousetheGoogledefaults,pleaseusethefunction"ResettoGoogleDefaults".
SecureLogin-Administrator'sGuideSecureLoginforBamboo
5
ContextWhitelist
TheWhitelistcontainsalistofcommaseparatedcontextrootelements,whichwillbeaccessedwithoutany2-factorauthenticationofthisadd-on/app.
FilterSettings
FIGURE4:FILTERSETTINGS
FilterMode• DeterminewhethertheIPListandUserGroupshouldbeusedasaBlack-orWhitelist.
GroupFilter• UserGroupwhichhasorhasnottobeauthenticatedbytheaddon/app,dependingwhether
Black-orWhitelistingisselected.
IPFilter• CommaseparatedlistofIPaddresseswhichhaveorhavenottobeauthenticatedbytheadd-
on/app,dependingwhetherBlack-orWhitelistingisselected.
ForwardHeader• CustomforwardheaderwhichcanbesettoidentifytheoriginalIPaddressbehindaproxy.Ifno
valueisset,theX-FORWARDED-FORheaderwillbeevaluated.
ResetAnUserAccountTheactualversionofSecureLoginforBamboodoesnotincludethemodelforresettinganuseraccount,yet.Thisfunctionalitywillbeprovidedwiththenextversionoftheplugin,soon.Untilthen,pleasehavealookintothefollowingsection"ResetAnAdministrator'sAccount"onhowtoresetanaccount,manually.
SecureLogin-Administrator'sGuideSecureLoginforBamboo
6
ResetAnAdministrator'sAccountScenario:theadmincannotlogintoConfluenceanymore,becauseher/hismobiledeviceisnolongeravailableduetowhateverreasonortheauthenticatorapphasbeendeletedonthemobiledeviceetc.
1. Teamsolution:AnotheradminhastologinandresettheSecureLogin-Tokenfortherelatedcollegue
2. Technicalsolution:ItispossiblebyexecutingthefollowingstepsbutnotrecommendedtoresetSecureLogin-accountsviadirectdatabaseaccess
o ConnecttoyourDatabasewithaDBadministrationtool
o IdentifytheSECURE_USER_CONFIGtableinyourdatabase.ThistableisnamedAO_<hash>_SECURE_USER_CONFIGwhile<hash>isa6digithashvalue.(e.g.AO_1D83D9_SECURE_USER_CONFIG)
o GettheaccountrowbylookingatthecolumnUSER_IDENTIFIER.Thisisastringcontaining<full username>_<email address>_<login username>(e.g.MaxMustermann_mm@test.org_muster).<full username>istheuser'sfullname,<email address>istheuser'sregisteredemailand<login username>istheuser'sloginname.
o Toresettheaccount,deletethecorrespondingdatasetfromtheUSER_CONFIGtableviaSQLcommandlike:
DELETE FROM AO_1D83D9_SECURE_USER_CONFIGG WHERE USER_IDENTIFIER LIKE 'Max Mustermann_mm@test.org_muster';
ThisuserwillbepresentedanewQR-Codeonthenextloginandhastoconnectamobileauthenticatortothatuseraccountagain.
Recommended