-
Bug
-
Resolution: Fixed
-
High
-
9.0.0
-
1
-
Severity 2 - Major
-
Issue Summary
In Bitbucket 9.0, we implemented encryption for storing passwords for external directories like LDAP and Crowd. However, it appears that the legacy Crowd SSO is failing to decrypt these passwords and is instead using the encrypted values when trying to connect to the Crowd server.
NOTE: The issue only occurs with legacy Crowd SSO. Directory syncing and Crowd SSO 2.0 are not affected.
Steps to Reproduce
Connect Bitbucket with Crowd and configure legacy Crowd SSO as defined in this page. Legacy Crowd SSO is enabled by setting this property to true.
plugin.auth-crowd.sso.enabled=true
Login to Crowd and navigate to Bitbucket.
Expected Results
The user that authenticated in Crowd should also be authenticated in Bitbucket via legacy SSO.
Actual Results
The user is not authenticated in Bitbucket. Additionally, the following error may show up in the application logs.
c.a.b.i.c.sso.SsoConfigurationCache Failed to retrieve SSO configuration com.atlassian.cache.CacheException: com.atlassian.bitbucket.ServerException: Could not retrieve SSO Configuration (Application failed to authenticate) at com.atlassian.cache.memory.DelegatingCachedReference.get(DelegatingCachedReference.java:92) at com.atlassian.cache.impl.metrics.InstrumentedCachedReference.get(InstrumentedCachedReference.java:58) at com.atlassian.cache.hazelcast.HazelcastAsyncHybridCachedReference.get(HazelcastAsyncHybridCachedReference.java:65) at com.atlassian.cache.impl.metrics.InstrumentedCachedReference.get(InstrumentedCachedReference.java:58) at com.atlassian.bitbucket.internal.crowd.sso.SsoConfigurationCache.get(SsoConfigurationCache.java:69) at com.atlassian.bitbucket.internal.crowd.sso.DefaultCrowdSsoService.getConfiguration(DefaultCrowdSsoService.java:233) at com.atlassian.bitbucket.internal.crowd.sso.DefaultCrowdSsoService.getAuthenticator(DefaultCrowdSsoService.java:110) at com.atlassian.bitbucket.internal.crowd.sso.CrowdSsoAuthenticationHandler.performAuthentication(CrowdSsoAuthenticationHandler.java:73) at com.atlassian.stash.internal.auth.DefaultAuthenticationService.lambda$authenticateInternal$3(DefaultAuthenticationService.java:166) at com.atlassian.stash.internal.auth.DefaultAuthenticationService.authenticateInternal(DefaultAuthenticationService.java:181) at com.atlassian.stash.internal.auth.DefaultAuthenticationService.authenticate(DefaultAuthenticationService.java:87) at jdk.internal.reflect.GeneratedMethodAccessor700.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at jdk.proxy3/jdk.proxy3.$Proxy309.authenticate(Unknown Source) at com.atlassian.stash.internal.spring.security.PluginAuthenticationProvider.authenticate(PluginAuthenticationProvider.java:54) at jdk.internal.reflect.GeneratedMethodAccessor699.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Workaround
As a workaround, encryption can be temporarily disabled until the fix is released using the following steps.
Step 1: Set the following property to false in the bitbucket.properties file.
crowd.directory.password-encryption.enabled=false
Step 2: Restart Bitbucket
Step 3: Re-enter the password in the UI for the Crowd directory being used for legacy SSO
- Go to Administration Overview -> User Directories
- Click Edit on the Crowd directory that was configured for SSO
- Re-enter the directory password in the Application Password field to replace the encrypted value
- Click the Test Settings button at the bottom of the page and verify that the connection is successful
- Click Save and test