2FA for Jira Software


Our company has an inhouse IDP which we are planning to use for our Jira Software (Server instance).
Once our Crowd authenticates the user, the in-house IDP should trigger a pop-up to add the security code.

Can anybody point some to documentation which tells which Jira files need to be updated (velocity/jsp)? Or how to build a plugin for that?

We do not want to use any 3rd party Marketplace addons.

This is probably what you’re looking for:


However instead of manipulating files manually it would probably be better to make an app. That way you can version your functionality and you can also easily test it on another system first etc.

If you’re manipulating the login page via an app you want to include a web resource on the login page. However there’s apparently no standard way to include web resources on the login page. They are linking to this issue for a workaround where they are saying to either manipulate the login.jsp again or use the footer. I think another workaround for this might be to include the web resource via a servlet filter.

I’d also look at how other people have solved this problem. I only quickly peeked at what syracom did and it looks like they might not be modifying the login page at all but letting you log in normally and then check if you’re 2FA’d - if not redirect you to their own 2FA login page, likely using a servlet filter for that as well. Sounds a lot less janky than modifying the login page.

But even if you want to do it your way, modifying the login page is actually the easy step. Once you got that you need to modify the backend as well, right? I’m not sure how you would do that step without writing an app anyway.

This is everything but a simple topic and when speaking about authentication you really want to know you’re doing. Therefore it might be a good idea to reconsider your decision regarding 3rd party apps and look for a professional solution by a reputable vendor.

1 Like