Confidence – Competence – Innovation

Secure Login for Bamboo

Administrator'sGuideSecureLoginforBamboo

SecureLogin-Administrator'sGuideSecureLoginforBamboo

2

Add-onInstallation

BeforeyoubeginToinstalltheSecureLoginPlugin,youmustlog-inwithBambooAdminpermissions

InstallingSecureLoginviatheUPM

1. ClicktheadmindropdownandchooseAtlasssianMarketplace.TheManageadd-onsscreenloads.

2. ClickFindnew-add-onsontheleft-handsideofthepage.

3. Searchfor"SecureLoginforBamboo".Theappropriateadd-onversionappearsinthesearchresults.

4. ClickTryfreetobeginanewtrialorBuynowtopurchasealicenseforSecureLoginforBamboo.You'repromptedtologinintotheMyAtlassiancustomerself-serviceportal.Then,SecureLoginforBamboobeginstodownload.

5. EnteryourinformationandclickGeneratelicensewhenredirectedtoMyAtlassian.

6. ClickApplylicense.Ifyou'reusinganolderversionofUPM,youcancopyandpastethelicenseintoyourBambooinstance.

7. Configuretheadd-onaccordingtosection"StandardConfiguration"(seebelow).

InstallingSecureLoginviatheAtlassianMarketplace

DownloadtheJAR-File

1. OpentheAtlasssianMarketplacewithinyourpreferredbrowser.

2. EnterSecureLoginforBamboowithinthesearchboxbelowthetitle"ExploreappsforAtlassianproducts".Theappropriateadd-onversionappearsinthesearchresults.

3. ClickTryfreetobeginanewtrialorBuynowtopurchasealicenseforSecureLoginforBamboo.You'repromptedtologintoMyAtlassian.

4. ClickGenerateLicenseinordertogenerateanewlicense

5. CopythelicensekeyandclickDownload.

6. SavetheJAR-fileonyourlocaldisk.

InstalltheJAR-File

1. SwitchintotheadministrationofBambooandchooseAdd-Ons.TheManageadd-onsscreenloads.

SecureLogin-Administrator'sGuideSecureLoginforBamboo

3

2. ClickUploadAdd-onandselecttheJAR-file.ThepluginisinstalledanddisplayedintheUser-InstalledAdd-ons.

3. EnterthelicenseandclickUpdate.

StandardConfigurationInthissectiontheadd-on/appwillbeactivatedwithstandardvaluesonly.

Activate"SecureLogin"afterinstallation

1. SelectAdd-onswithintheAdministrationareaofBamboo.

2. NavigatetotheSecureLoginsectionontheleft-handsideofthepage(figure1,step1).

3. ClickonPluginConfiguration(figure1,step2).

FIGURE1:CONFIGURATIONOFTHESECURELOGINAPP

4. Byclickingonthatmenuitem,theadd-on/appconfigurationopens,butSecureLoginisdeactivatedbydefaulttoavoidlockupofusersbymis-configurationswithregardtoyourconcreteenvironment.Ifthedefaultconfigurationmatchesyourneeds,pleaseactivatethe2-factorauthenticationviathecheckbox"SecureLoginactivated"(figure2,step1)andapplythatbyclickingonthebuttonSaveconfiguration(figure2,step2).

SecureLogin-Administrator'sGuideSecureLoginforBamboo

4

FIGURE2:ACTIVATIONOFTHECONFIGURATION

TOTPConfiguration

FIGURE3:TOTPANDCONTEXTWHITELISTCONFIGURATION

Thesection"TOTPsettings"containstheconfigurationparametersfortheTOTPprotocol.Ifyoudonothaveanyspecialneeds,werecommendtousetheGoogleDefaultsettings,whichworkwelltogetherwithallcommon2FAauthenticatorsonthemarket.IfyouchangedthatsettingsandwanttoreturnbacktousetheGoogledefaults,pleaseusethefunction"ResettoGoogleDefaults".

SecureLogin-Administrator'sGuideSecureLoginforBamboo

5

ContextWhitelist

TheWhitelistcontainsalistofcommaseparatedcontextrootelements,whichwillbeaccessedwithoutany2-factorauthenticationofthisadd-on/app.

FilterSettings

FIGURE4:FILTERSETTINGS

FilterMode• DeterminewhethertheIPListandUserGroupshouldbeusedasaBlack-orWhitelist.

GroupFilter• UserGroupwhichhasorhasnottobeauthenticatedbytheaddon/app,dependingwhether

Black-orWhitelistingisselected.

IPFilter• CommaseparatedlistofIPaddresseswhichhaveorhavenottobeauthenticatedbytheadd-

on/app,dependingwhetherBlack-orWhitelistingisselected.

ForwardHeader• CustomforwardheaderwhichcanbesettoidentifytheoriginalIPaddressbehindaproxy.Ifno

valueisset,theX-FORWARDED-FORheaderwillbeevaluated.

ResetAnUserAccountTheactualversionofSecureLoginforBamboodoesnotincludethemodelforresettinganuseraccount,yet.Thisfunctionalitywillbeprovidedwiththenextversionoftheplugin,soon.Untilthen,pleasehavealookintothefollowingsection"ResetAnAdministrator'sAccount"onhowtoresetanaccount,manually.

SecureLogin-Administrator'sGuideSecureLoginforBamboo

6

ResetAnAdministrator'sAccountScenario:theadmincannotlogintoConfluenceanymore,becauseher/hismobiledeviceisnolongeravailableduetowhateverreasonortheauthenticatorapphasbeendeletedonthemobiledeviceetc.

1. Teamsolution:AnotheradminhastologinandresettheSecureLogin-Tokenfortherelatedcollegue

2. Technicalsolution:ItispossiblebyexecutingthefollowingstepsbutnotrecommendedtoresetSecureLogin-accountsviadirectdatabaseaccess

o ConnecttoyourDatabasewithaDBadministrationtool

o IdentifytheSECURE_USER_CONFIGtableinyourdatabase.ThistableisnamedAO_<hash>_SECURE_USER_CONFIGwhile<hash>isa6digithashvalue.(e.g.AO_1D83D9_SECURE_USER_CONFIG)

o GettheaccountrowbylookingatthecolumnUSER_IDENTIFIER.Thisisastringcontaining<full username>_<email address>_<login username>(e.g.MaxMustermann_mm@test.org_muster).<full username>istheuser'sfullname,<email address>istheuser'sregisteredemailand<login username>istheuser'sloginname.

o Toresettheaccount,deletethecorrespondingdatasetfromtheUSER_CONFIGtableviaSQLcommandlike:

DELETE FROM AO_1D83D9_SECURE_USER_CONFIGG WHERE USER_IDENTIFIER LIKE 'Max Mustermann_mm@test.org_muster';

ThisuserwillbepresentedanewQR-Codeonthenextloginandhastoconnectamobileauthenticatortothatuseraccountagain.