OSLC Connect for Jira - Whitelisting Jira OSLC discovery URLs in SSO environment

Whitelisting Jira OSLC discovery URLs in SSO environment

This initial complementary configuration step is required only if your Jira instance has a Single Sign-On plugin installed like KantegaSSO or IWAAC Kerberos SSO. In this case, some OSLC Connect for Jira URLs must be whitelisted in the SSO plugin to allow the friending between Jira and the OSLC Remote Application you are trying to connect. These URLs are for services discovery and to allow OAuth authentication between these applications; therefore, it is completely safe (and necessary) to grant them free access.

URLs to whitelist are:

<jira_base_url>/rest/oslc/1.0/rootservices
<jira_base_url>/rest/oslc/1.0/publisher
<jira_base_url>/rest/oslc/1.0/oauth/accessToken
<jira_base_url>/rest/oslc/1.0/oauth/requestToken
<jira_base_url>/rest/oslc/1.0/oauth/requestKey

Not doing this step would prevent creating friends from the OSLC Remote Application to Jira, a message like "root services URL is invalid" will be displayed or an unauthorized access error (401) will be reported in the OSLC Remote Application.

Any other Jira URL remains authentication protected. Whitelisting those discovery URLs does not let anyone accessing any content she/he should not be allowed to. Also note all other OSLC applications have the same whitelisting requirement.

If IBM Link Index Provider (LDX) or IBM Lifecycle Query Engine (LQE) are to connect to Jira, it is very likely you'll need to whitelist completely <jira_base_url>/rest/oslc. Indeed in this case the requests from the IBM server application to Jira are made on behalf of a functional user (associated to the registered consumer), without involving any user interaction in the browser. Therefore the SSO plug-in knows nothing about user identity in this case and would reject the requests. Whitelisting <jira_base_url>/rest/oslc is to instruct the SSO plugin to let OSLC Connect for Jira handling user authentication on its own in this particular server-to-server communication.

Kantega
Kantega recommends to turn off REST services checking within Jira.
If you do desire Kantega to check REST services, you are required to add /oslc to the Kerberos exclusion for sub-paths of /rest, otherwise Kantega would reject most of the requests coming from the OSLC Remote Application, for reasons detailed above.
The capability to whitelist a subset of REST services was introduced in Kantega 3.5.15.