SecSignID Plugin: Bamboo

2018-03-22 12 minutes to read

2-Factor-Authentication with SecSignID for Bamboo

This tutorial describes how to set up the SecSignID-Plugin for your Bamboo-System to login increase security.

Overview

Overview & Quickstart

Bamboo is a continuous integration and continuous deployment server. It was developed by the company Atlassian. Bamboo has comprehensive features and a high adaptability. Thus, the functionality of Bamboo can be optionally expanded or adapted by using plugins (add-on’s).

SecSign ID is a plugin for real two-factor authentication (2FA) for Bamboo. 2FA adds another layer of security to your installation by using a second token. In this case the physical token is your smartphone.

If you seek for more information about about two-factor authentication have a look at the Bamboo Marketplace or our Github site.

Questions? Please contact us, if you need further assistance installing the Bamboo Plugin or if you looking for a plugin for other environments.

Contact

FIRST STEPS: Bamboo SETUP

Bamboo has to be set up before installing the plugin.

Please read the Bamboo Installation and Setup Tutorial if you need to set up Bamboo.

Installation

Plugin Installation

Due to the universal plugin manager by Atlasssian the installation of the plugin is very simple.

  1. Log into your Bamboo system as administrator
  2. Go to the administration of the add-ons via the administration menu
  3. Search for ’SecSign Bamboo’ and click on ‘Install’

Another option is the download of the SecSign ID plugin from Atlasssian Marketplace. For installation you can upload the plugin into Bamboo.

Just go to administration of the add-on’s on the administration menu and choose ‘Manage Add-Ons‘. At this point you can upload the SecSign ID plugin. In the add-on administration you have also the possibility to activate or deactivate the plugin.

Bamboo-admin-menu1

Activate 2FA for your users

Based on your requirements there are several options to activate the 2FA for your users. We offer options for convenient batch-enrollment, individual administrator-based rollout as well as user-based enrollment.

Manual enrollment via the Bamboo user management settings

The manual enrollment is perfect for small user batches or to test the integration. Navigate to the Bamboo Backend, user management and then to the individual user you want to activate Two-Factor Authentication for. Each user account has a text field in which you can add the SecSign ID (the user name previously selected in the app).

You can choose if the user is still allowed to authenticate with only the user name/password even after the 2FA is activated. For better security this feature should be deactivated.

The user is required to use 2FA with the next login once you added the ID to his user account. To authenticate the user selects the correct access pass in the SecSign ID app on his smartphone. More information about the login procedure can be found at 4. Login procedure.

To enroll a batch of users in 2FA at once or for a completely user-based self-enrollment please refer to Batch Enrollment

Manual enrollment via the SecSign ID plugin settings

Alternatively, you can enroll individual users via the SecSign ID plugin settings. Navigate to the SecSign ID menu in your Bamboo backend. You can find the SecSign ID menu at user management > SecSign ID 2FA Login or in the header menu.
In the SecSign ID plugin settings you have a list of all Bamboo users arranged by administrators and regular users. Each user has a text field for adding the SecSign ID to the respective user.
For added security please deactivate the option to login with just the user name/password and without the 2FA.

To enroll a batch of users in 2FA at once or for a completely user-based self-enrollment please refer to Batch Enrollment

Rollout Options for batch enrollment

SecSign ID offers convenient options to automate the enrollment of your user batches. You can conveniently manage the access to your Bamboo system for large numbers of users with minimal effort. The following chapter offers an overview of the individual batch-enrollment options based on your system and user account characteristics.

Option 1a: The user activates the SecSignID

You can offer the users to add their SecSign ID autonomously during the next login. Once the user logged in with his user name and password, he is prompted to provide his SecSign ID (previously chosen in the SecSign ID app). He authenticates with his mobile phone and thus, automatically activates 2FA for the next login. Existing Bamboo users can automatically connect their ID with their user account in one simple step.

To activate this feature the administrator must choose “Dialog add an ID” in the Confluence Backend SecSign ID Settings.

Option 1b: Custom ID App

For an even more convenient and streamlined process you can employ your own SecSign ID custom app in combination with your on-premise server. It offers numerous customized enrollment options including Email-based activation codes.

For more information about custom enrollment options tailored for your setup please contact us.

Contact

Option 2: Rollout for setups with Atlassian Crowd

If you are already using Atlassian Crowd you can either enroll your users via the Self-Enrollment (Option 1) or with a custom ID app in combination with your on-premise server. Crowd then offers the option to activate 2FA once for all connected services (for example Jira, Confluence, Bamboo,…).

To use this feature you need to install the SecSign ID plugins for the corresponding services first. More information on the individual steps of the Crowd setup are available in the Crowd Tutorial.
More information about the Crowd setup with an existing Bamboo SecSign ID configuration please refer to chapter Atlassian Crowd.

We also offer solutions for setups with specific requirements, for example systems with both users managed in Crowd and other management systems, for example internal Bamboo users.

For more information about custom enrollment options tailored for your setup please contact us.

Contact

Option 3: Rollout for users that are not managed in your internal user management system

If your users are already registered in your Atlassian system (Jira, Confluence, Crowd, Bitbucket or other) you can simply activate them individually and administrator-based (see 2.1 and 2.2) and manage them in the Atlassian user management service.

If the users are not yet registered in the Atlassian system you can offer them a convenient self-enrollment with rollout codes (for example via Email) and your custom ID app in combination with your on-premise server.

For more information about custom enrollment options tailored for your setup please contact us.

Contact

Option 4: Rollout for users managed in your Active Directory

The most convenient solution for enrolling your in your Active Directory managed users is linking your user management system with your on-premise server and employing a custom ID app. The user authenticates with his Active Directory user credentials and provides his SecSign ID to automatically enroll in the two-factor authentication.

You can use this option also for other services, for example VPNs, portals or other. It offers both the option to use the stand-alone plugins, use ADFS or SAML on-premise setups (if all users are using the same @yourcompany.com Email-handle).

For more information about custom enrollment options tailored for your setup please contact us.

Contact

User Settings

User Settings

You can assign every Bamboo user one or more SecSign ID´s. These SecSign ID´s can then be used for authentication and login for Bamboo.

If you want to assign several SecSign ID´s to a Bamboo user, simply enter all SecSign ID’s separated by a comma into the field. When two step authentication shall be used, the mapping SecSign ID and Atlassian user needs to be unique. Multiple SecSign IDs can no longer be assigned to a user.

It is sensible to assign more SecSign ID´s to a Bamboo user, if the Bamboo user is, for example, not an individual but a company account. You would then have the option to assign several SecSign ID´s of the individual employees to this company account.

Bamboo-edit-secsignid

The overview about the individual users and their SecSign ID´s is divided into roles which are assigned to the users in the Bamboo system. In the first place there will be a listing of all administrators who usually belong to the Bamboo group ‘Bamboo-administrators‘. You find then a list of all users who have only “normal” rights and no right to administer Bamboo.

You have also the option to make the assignments of the SecSign ID´s in the profile and user view of Bamboo. In the user administration of Bamboo you can find the assignments of all users of the Bamboo system. Here you can view the account information of the individual users as well as the respective profiles. In this profile view you can also find and change the information about the assigned SecSign ID’s.

Bamboo-viewuser-1500x685

Creating new users in Bamboo

When a Bamboo administrator creates new users, the fields for the SecSign ID are additionally shown. The administrator could then assign a SecSign ID to the new user and also define in the settings whether the user is still allowed to log in by using a password.

As soon as this option is switched off, the user receives (during a login attempt with user name and password) the notification that this is not possible. As Bamboo only knows two states (successful and failed), the user is only notified that user name and password are incorrect.

2FA Procedure

Login Procedure

After the installation of the SecSign ID plugin the usual field for the entry of name and password is not shown anymore. Instead, the user sees a field where the user’s SecSign ID must be entered.

When the user clicks on Login, a so-called access pass is requested from the ID server. Behind the access pass there is an authentication session which must be confirmed by the user in the SecSign ID app on the user’s smartphone.

For this, the user only compares the access pass shown on the Bamboo site with the access pass in the SecSign ID app on the smartphone and selects the one which matches the pass on the Bamboo. Then, the user is automatically logged into Bamboo.

For a test you just need to install the SecSign ID app on your smartphone and generate a SecSign ID in the app.

This SecSign ID would then be assigned in Bamboo to a user. The administrator can do this for all users or the users can do it themselves in their profiles after the login with user name and password.

Settings

Plugin Settings and Configuration

On-premise ID Server

Improve your security with an on-premise based Two-Factor Authentication. With SecSign ID you can have all 2FA components on your premise – no compromises.

  • Combine excellent security with maximum customization options
  • Customized Enrollment and Rollout Options for your users and administrators
  • Options for Auditing, Endpoint Monitoring and User Security as strong as you need them – completely customizable
  • Secure all company logins (Web, VPN, desktop, anything that needs credentials)
  • Integrate Two-Factor Authentication in existing apps or have one build to suit
  • Maintain control over everything, from data to update frequencies, authentication procedure or administration.
  • We strive for low-maintenance applications. Common issues are already solved before you face them: Lost phone, change of device: no complex issues but merely a tap away from a solution. Save time, money and frustration.

More information on the SecSign ID on-premise setup is available here:
SecSign ID On-Premise Contact

Edit ID by user

A user may exchange his already with his user account linked old ID with a new ID, that he can create in the SecSign ID app.
User may change their ID handle if the feature is activated. If the feature is deactivated, users have to go through an administrator to have their ID handle changed.

We recommend deactivating this feature to ensure the best protection for your setup, or to use customized rollout-options for new IDs to add a layer of protection.

Bamboo-change-secsignid

Two Login Options

The 2-step authentication option (2SA) allows for an increased security on top of the two-factor authentication. Once the option is activated the user is prompted to provide his Atlassian user name and password before the SecSign ID authentication is automatically initiated. The user receives a push notification on his device and approves the login via the SecSign ID app. He does not initiate the Two-Factor Authentication with the app individually, it is launched by the successful user name/password authentication.

Bamboo-edit-two-step

If the user name and password authentication is successful, the user is then automatically promoted to complete the SecSign ID two-factor authentication.Only after both the user name and password and the two-factor authentication are successful the user is logged into the system.

Two-Factor Authentication with SecSign ID

No additional password needed for secure authentication

Two-Step Authentication with SecSign ID

Additional protection with a password and the SecSign ID Two-Factor Authentication

More information about this feature are available on the SecSign ID blog.

Two-Step Authentication

IPSafeZone

Most self-hosted (on-premise) Atlassian services like Bamboo and Confluence are used in internal networks for internal access. The infrastructure in those cases is usually restrictive to outside access and access is only available to internally identified users. With the SecSign ID IPSafeZone extension those users do not need to authenticate with an additional second factor. Only access via external logins need to authenticate with the additional second factor.

With the IPSafeZone Option a secure IP-Zone is defined. If an user is within this IP-Zone he does not need to authenticate via the two-factor authentication but with a less secure user name and password authentication. If the user is outside of that IP-Zone he needs to authenticate with the SecSign ID Two-Factor Authentication or, if activated, with the 2-step authentication.

Bamboo-edit-iprange

More information about this feature are available on the SecSign ID blog.

IPSafeZone

Customization of the Login Screen

The default SecSign ID Bamboo plugin offers a customization of the login screen the users see. For the cloud default version of the plugin this customization includes a color adjustment, for the on-premise version of the plugin additional individual customizations are possible. Please contact us if you want the plugin to match your corporate identity.

Coming soon

Login without the Access Pass

If required, the two-factor authentication to Bamboo can be implemented without access pass. The user simply accepts (or denies) the login in the SecSign app without the confirmation of the access pass.

This feature is only available, if two-step authentication is activated (login with user name and password in addition to the two-factor authentication).

no access pass

Session validity

The session validity can be managed in the Atlassian Bamboo settings and is automatically valid for the SecSign ID session as well. In the near future the administrator will also be able to adjust the session validity directly in the SecSign ID settings of the plugin.

Coming soon

Two-Factor Authentication restrictions for groups

Soon, administrators will be able to manage 2FA restrictions for entire groups, for example IPSafeZone, Two-Step Authentication, mandatory updates and more.

Coming soon

Atlassian Crowd

A centrally organized user management in Crowd as well as SSO is possible for all Atlassian products. A successful login at for example Bamboo authenticates the user for other Atlassian products, for example Crowd, Confluence, Jira or more.

The SecSign ID Crowd plugin adds two-factor authentication to the SSO login to secure the authentication.

Set a checkmark at “Synchronizeable IDs” and save the settings if you want to synchronize the SecSign ID with other directories, for example for an convenient login with Confluence and Bamboo without importing the IDs individually.
The IDs can not be edited after being imported, but they can be accessed for the authentication procedure.

If a SecSign ID is edited in an application it is automatically synchronized with all other applications and can be used accordingly.
The user can now use his SecSign ID to login to for example Bamboo and is automatically securely authenticated for all other applications.

jira-edit-crowd

More information about Crowd are available on our SecSign ID Crowd Plugin page.

SecSign ID Crowd
Synchronization

Mapping Synchronization between Atlassian solutions

With Crowd, user mappings can be managed and used with all connected services. To use these features, the Crowd-system has to be set up and connected to the respective services.

You can connect your Bamboo system by using the option “synchronizable IDs”. By activating this function the mappings are no longer stored locally in Bamboo but in Crowd and as embedded versions in the Crowd-directory of all connected services to manage the users.
That way the mappings from the crowd-directory are synchronized with all other services and can be used accordingly. It also enables the SSO function in combination with the SecSign ID Two-Factor Authentication.

Once the user successfully authenticates with the SecSign ID for one service (for example Bamboo) he is automatically logged in to all other connected services (for example Jira and Confluence).

Local users and their IDS can still be created and added in Bamboo to be used only in Bamboo.
If you require to add or change IDs in Bamboo please activate the function “Write in Directories”. This function enables the edit of Mappings in Bamboo and the subsequent use of those changes in Crowd and all other services.
To activate this function and prevent errors, Bamboo has to have writing permissions in Crowd to “Modify user attributes”. No other writing permissions are required and may be adjusted based on your requirements.
The Crowd-Directory does not require writing access to Bamboo since access to the attributes is managed separately from this feature.

Troubleshooting

Troubleshooting

If you have problems with the SecSign plugin or if you lost your SecSign ID, you can remove the plugin manually.

For this, please search for the directory in which the add-on was installed. This would usually be

$bamboo_INSTALL/atlassian-bamboo/WEB-INF/lib/.

Alternatively, you can search for the SecSign ID plugin in the Bamboo home directory:

Afterwards, please delete the respective jar and restart Bamboo.

No Patch Work Solutions:
Two-Factor Authentiacation for all your Atlassian services.

Atlassian

Logo
Secure your Confluence system with SecSign Two-Factor Authentication.
Logo
Secure your Jira system with SecSign Two-Factor Authentication.
Logo
Secure your Crowd system with SecSign Two-Factor Authentication.
Logo
Secure your Bitbucket system with SecSign Two-Factor Authentication.
Logo
Secure your Bamboo system with SecSign Two-Factor Authentication.
Logo
Secure 2FA for Identity Federation with Active Directory.
Logo
All Atlassian Plugins can be secured with our SecSign-SAML-Plugin.
Logo
Secure all interfaces between your Atlassian system and external apps with our OAuth Plugin.
Logo
Secure your REST interfaces with SecSign Two-Factor Authentication.

Why SecSignID?

Die 2FA von SecSign ist die stärkste Zwei-Faktor-Authentifizierung auf dem Markt! Profitieren Sie von unbegrenzten Möglichkeiten der Integration. Für so gut wie jedes Login bietet SecSign eine Absicherung. Auch für komnplizierte Nutzermanagement-Situationen, wie beispielse Nutzer in und außerhalb eines AD hat SecSign unkomplizierte Lösungen parat.

Logo

Inhouse- oder Cloudlösung

Zwei-Faktor-Authentifizierung in der Cloud, oder volle Kontrolle und individuelle Anpasungen durch eine Inhouse Lösung.
Logo

Sichere Authentifizierung

Passwörter sind nicht sicher. Sichern Sie Ihre Logins und somit Ihre Unternehmensdaten mit unserer echten Zwei-Faktor-Authentifizierung ab.
Logo

Schützen Sie ALLE Logins

Integration in sämtliche Loginumgebungen; Web, Lokal, VPN, Remote Desktop, Mobile Logins und Plugins für nahezu alle Umgebungen.
Logo

Einfache Integration

Unsere Plugins lassen sich leicht in Ihre Systeme integrieren und ohne großen Aufwand auch für eine große Nutzerzahl aktivieren.
Logo

Unkompliziertes Nutzermanagement

Schützen Sie Ihr Active/Directory/LDAP mit der Zwei-Faktor-Authentifizierung und erstellen Sie dadruch Ihr individuelles Identitäts- und Zugangsmanagement mit zahlreichen Sicherheitseinstellungen.
Logo

App Integration

Mit unserer Anwendungsfertigen SDK können Sie ganz einfach die Zwei-Faktor-Authentifizierung in bestehende Apps integrieren. Alternativ erstellen wir eine App mit Ihrem Unternehmens Look-and-Feel.

Your own ID-Server

On premise installations of SecSign ID offer the flexibility to connect with your preferred servers, services, and devices. And you can customize the SecSign ID with your own organization’s branding.

Learn More
On Premise 2FA ID

Latest Blog Posts, Updates & Features

Atlassian JIRA and Confluence Two-Step Authentication and IP-SafeZone

With SecSign ID you can protect all your logins with a secure Two-Factor Authentication based on a challenge response. The authentication offers the highest protection for the company data while being incredibly simple to us ...

Mehr Lesen

SSO Setup with Crowd

Content Pre-requirements Setup and configuration of the components as a server application Configuration of Crowd for the centrally organized user management Configure application (for example JIRA) to be used wit ...

Mehr Lesen

What is possible with Crowd?

The SecSign ID Crowd Plugin can be integrated in just a few steps. For more information about the plugin and the integration please refer to the following pages. Do you have any questions? Don't hesitate to contact us. ...

Mehr Lesen