When creating a friend to Jira from a ELM application, or any other OSLC compliant application, process can not complete due to a message saying Jira's root services is not valid or that access has been refused.
A Single Sign-On plugin is installed on Jira (e.g. KantegaSSO or IWAAC Kerberos SSO).
Following Jira's URLs must be whitelisted on the Single Sign-On plugin installed in order to give them free access:
<jira_base_url>/rest/oslc/1.0/rootservices
<jira_base_url>/rest/oslc/1.0/publisher
<jira_base_url>/rest/oslc/1.0/oauth/accessToken
<jira_base_url>/rest/oslc/1.0/oauth/requestToken
<jira_base_url>/rest/oslc/1.0/oauth/requestKey
<jira_base_url>/plugins/servlet/oslc/oauth/authorize
Above URLs are for services discovery and to allow OAuth authentication between applications, they are safe to be freely accessed and they must be in order to allow communication between Jira and the other OSLC compliant application.