SecSign ID Plugin: Bitbucket

2018-03-20 12 minutes to read

Two-Factor-Authentication with SecSignID for Bitbucket

This tutorial describes how to set up the SecSignID-Plugin for your Bitbucket-System to increase login security.

Information for 2FA protection for Crowd Datacenter and SSO 2.0 setups is available here.

Overview

Overview

Bitbucket is a web application for version control repository hosting service that can be used for source code and development process. It was developed by the company Atlassian. Bitbucket has comprehensive features and a high adaptability.Thus, the functionality of Bitbucket can be optionally expanded or adapted by using plugins (add-on’s).
SecSign ID is a plugin for real two-factor authentication (2FA) for Bitbucket. 2FA adds another layer of security to your installation by using a second token. In this case the physical token is your smartphone.

If you need more information about about two-factor authentication have a look at the Bitbucket Marketplace or our Atlassian Landing Page.

Bitbucket has to be set up before installing the plugin.

Please read the Bitbucket Installation and Setup Tutorial if you need to set up Bitbucket.

Questions? Please contact us for assistance with installing the JIRA Plugin or if you are looking for alternative plugins for other environments.

Contact

Integration in your setup

Integration of the plugin into your setup

SecSign ID Integration

Please configure your desired integration of the SecSign ID Two Factor Authentication

Choose a system, where you want to add the secure login

Do you need your own ID Server inside your protected network or prefer if we manage and maintain it for you

The location to save the assigned SecSign IDs to a user account or the IDM alltogether

System to protect
?
The System you want to protect - Choose a system, where you want to add the secure login
SecSign ID Server location
?
Do you need your own ID Server inside your protected network or prefer if we manage and maintain it for you
User account location
?
The system to save the assigned SecSign IDs to a user account or the IDM alltogether
edit the settings to change the integration
Authentication
2FA
2FA blind
2FA no AP
2SA
2SA no AP
2SA blind
OTP
Enrollment
Custom ID
Pattern
IDP Custom Website
Enrollment initiated by SP
Enrollment with IDM
Show Network
Hide Network
Fullscreen
Request Solution
x
The authentication was successful
Features

Plugin Features

SecSign ID Plugins are adaptable to your setup and requirements, making them the leader in modern multi-factor authentication. From Design, Rollout to Authentication method, you can customize the authentication experience based on your security requirements and user behavior.


Adaptable
authentication

+ view more
Choose the authentication method that fits your setup, security requirements and your user behavior.

With SecSign ID you can offer Mobile Apps, Desktop Apps, Email OTP to adapt to your user behavior and default Two-Factor Authentication or Two-Step Authentication with both a password and username depending on your security requirements. The SecSign ID 2FA is possible both as a alone-standing authentication procedure (true 2FA) or in addition to the traditional user name/password login (Two-Step Authentication).


On-boarding
2FA Rollout

+ view more
Completely customizable and friction-free user enrollment to conveniently get all users and customers on board:

user- or administrator-based with options for automatic enrollment, self-enrollment or individual administrative enrollment including our convenient QR-Code Enrollment procedure. Easy to use even for non-professionals.
Rollout can be user-centric with self-managed enrollment linking the old user to the new 2FA user automatically during their next login. After successfully logging in with their user name and password they are prompted to start the automatic ID-generation by scanning the provided QR-Code with their app, which automatically activates the 2FA for them. Or enrollment can be completely user based, with convenient options to choose individual IDs and automatically link them to their account during the login.


IP SafeZone: Location based 2FA

+ view more
Activate 2FA for user groups and limit 2FA to outside DMZ.

Your users need to authenticate with 2FA outside of the company but only need to provide a password for authentication at their workplace (e.g. in order to allow access within the company network a password is required. However, all external access must login by using a 2FA).
Based on the IP range it is determined if a user is within a safe range or not, for example a home office. If he logs in from for example home or on the go, additional 2FA is required to prevent unauthorized access. This feature can be set up conveniently in the administrator panel.


Customizations
for your layout

+ view more
Improve brand recognition and user compliance.

The Cloud Add-ons offer color customizations to fit your corporate design. Or customize both add-on and app with our custom white label options.


Predefined user name (ID) by admin

+ view more
For example existing Atlassian user name or corporate ID/Email address.

To simplify the rollout and user experience the administrator can predefine a certain format for the SecSign ID, for example a corporate Email address or the previously used login usernames. The user can then activate the ID in his app with our convenient QR-Code procedure during his next login.

Installation

Plugin Installation

Due to the universal plugin manager by Atlasssian the installation of the plugin is very simple.

  1. Log into your Bitbucket system as administrator
  2. Go to the administration of the add-ons via the administration menu
  3. Search for ’SecSign Bitbucket’ and click on ‘Install’

Another option is the download of the SecSign ID plugin from Atlasssian Marketplace. For installation you can upload the plugin into Bitbucket.

Just go to administration of the add-on’s on the administration menu and choose ‘Manage Add-Ons‘. At this point you can upload the SecSign ID plugin. In the add-on administration you have also the possibility to activate or deactivate the plugin.

bitbucket-admin-menu1

After the installation of the plugin you can set up the installation and the first ID (2FA user name) by working through the Intro Tutorial that is automatically displayed on the first use of the plugin. A short tutorial on the individual steps of the introduction tutorial are available below.
If you already worked through the tutorial or if you want to skip the tutorial, you can go directly to the individual parts of this documentation.
You can access the intro tutorial at any time by navigating to the plugin main page and select “Replay intro”.

Intro – Setting up the first ID for the administrator

Intro Tutorial Details
2FA Rollout and Activation

2FA Rollout and Activation

Every single Atlassian setup is different and each company has individual requirements. SecSign offers numerous options for 2FA rollout and onboarding for the users to support your requirements ideally. All options are available to choose from in the SecSign ID plugin backend.

The first parts of this chapter cover the 2FA rollout for existing Bitbucket users. To activate 2FA when creating a new user, please navigate to “Create new user”.

If you have additional requirements that are not covered with the default settings, or if you have any questions, please contact us for a personalized consultation.

Contact

2FA Batch Rollout for high user volumes (most popular option)

The easiest method to activate 2FA for a setup is the 2FA activation for individual groups. This option activates 2FA for entire groups at once. You can either have the administrator choose the ID (2FA app user name) pattern for a consistent ID pattern for all users (for example johnsmith@yourcompany), or the user choose his ID individually.

Activate 2FA for entire user groups in one step

\

You can activate the 2FA comfortably for entire user groups in one setting. This option can be found in the Backend of the SecSign ID plugin at “2FA Activation”.


\

For the activation of 2FA for entire user groups you can specify a pattern for the SecSign ID (2FA user name) that is applied to the entire group. Each 2FA user name for the group members is created using that pattern, without any additional input required by the administrator.

Additional details about the 2FA activation for entire groups can be found in the chapter “Batch-Rollout”.

Administrator-led: Batch-Rollout with predefined pattern for user groups

Overview – Administrative point of view

1.

The administrator chooses an ID-pattern in the plugin settings, which is based on the company name.

Overview – User point of view

2.

The user logs into Bitbucket in the way he is used to (user name and password). The Bitbucket login is already displaying the SecSign ID design, which can be customized to fit the company color scheme.

3.

After the successful login, links to download the SecSign ID app and the QR code for the 2FA activation are displayed. The user can download the app and scan the QR code to activate his ID on his device. In case the user prefers the Desktop 2FA app, he can simply enter the code on his desktop.



4.

After downloading the SecSign ID app, he can start the QR code pairing in the app.

To ensure advanced security you can initiate an additional Email code sent to the Email address associated with the Atlassian account of the user. The user has to provide this code to activate the 2FA for his account. You can activate this option in the plugin settings.

5.

The SecSign ID is successfully created.
To finalize the SecSign ID generation process, the user will perform his first two-factor authentication by selecting his ID (if the process does not automatically start). The account is protected with 2FA after the first successful authentication. For the next logins, the user needs to perform 2FA to get access to his account. The QR-onboarding process is only relevant for the first activation and does not need to be repeated for subsequent logins.



Login – User point of view

To access Bitbucket, the user needs to authenticate with the SecSign ID app and his ID. The first authentication automatically starts after the user activated his ID in the app.

1.

The user logs in with his user name and password, just like he is used to.

2.

An access symbol is displayed to the user on the screen.

3.

He selects the respective symbol in his app to verify the login.

For subsequent logins, the user can use the two-factor authentication.

Detailed information

One option to roll out 2FA for your user groups is to define the ID patter (user name in the app) by the administrator. He can choose the pattern and thus, define the user name for every user in that group, in one simple step.
One example is the rollout for all users in the administrator group to receive an ID with the suffix „-admin@yourcompany“. By defining the pattern „%username%-admin@yourcompany“, the administrator predefines the ID for every single administrator in one step, without the need for additional steps in the individual user accounts. The individual IDs are automatically created and added to the individual accounts in the group.

The users in the group are then presented with the QR-code pairing option during their next login. They can download the SecSign ID app and add the ID to it by following the steps of the QR-code procedure. Activating the ID in the app is as simple as scanning the QR code (for iOS users scanning the QR code with the photo app is sufficient, Android users need to scan the QR Code with the SecSign ID app). After activating their ID on their app they can start using it right away.

If your users already created an ID in the app you can add them and select “Save”. That way the IDs are not created but only linked to the individual user account.

User led: Batch-Rollout with unrestricted user ID selection

Overview – Administrator point of view

1.

The administrator activates the option for users to choose their own ID (user name in the SecSign ID app) during the next login.


2.

The user logs in with his user name and password, just like he is used to.

3.

He is presented with the option to add an ID (user name in the SecSign ID 2FA app) to his account. He can choose if he wants to add an ID he already created (existing ID), or create a new ID for his account. If the user already created an ID in his app he can add it here and use it for authentication right away.

4.

If the user did not yet create an ID he can generate a new ID and is automatically directed to the QR-code activation option (see QR-code pairing). He can then create a new ID and activate it in his app automatically.




Login – User point of view

To access Bitbucket, the user needs to authenticate with his app and his ID. The first authentication is automatically started after the user activated his ID in the app.

1.

The user logs in with his user name and password, just like he is used to.

2.

An access symbol is displayed to the user on the screen.

3.

He selects the respective symbol in his app to verify the login.


For subsequent logins, the user can use the two-factor authentication.

Detailed information

You can offer your users an unrestricted choice of their ID (user name in the SecSign ID 2FA app) during their next login.

Option 1: The user has not yet created an SecSign ID (user name in the 2FA app)

The user is presented with the option to create an ID for the SecSign ID app. To create the ID he enters it in the respective entry field. If the ID is still available, he is presented with the QR code to activate the ID, as well as download links for the app on the different platforms (iOS, Android,…). He can then download the app and scan the QR code with his phone (for iOS he can use the default photo app, or the SecSign ID app). By scanning the QR code his new ID is automatically created in his app. He can then start using the two-factor authentication right away without additional assistance required by the administrator.

Option 2: The user already created a SecSign ID

If the user already created a SecSign ID (2FA user name) in the SecSign ID app and wants to use this ID, he can select “I already have a SecSign ID”. This option will allow him to add his existing ID to his account. He can then use this ID right away to authenticate, without additional assistance required by the administrator.

Assign individual IDs via Bitbucket user management

SecSign offers alternative options for rollout, as well as individual customized solutions to fit your requirements. You can choose between batch enrollment, individual enrollment by the administrator as well as user-based sign-up.

A manual and individual enrollment is ideal for small user groups or to test the integration. To conveniently rollout 2FA in batch for larger groups, please refer to the chapter “22FA Batch Rollout for high user volumes”.

Administrator-led: Create a new SecSign ID for individual users

Overview – administrator point of view

1.

If the user has not yet created a SecSign Id in his app (user name in the SecSign ID app), you can reserve an ID for him and add it to his account. At the next login the user is presented with the QR-code enrollment after successfully logging in with his user name and password. With the QR-code enrollment he can install the app and activate his ID in just a few simple steps, without additional action required from the administrator. The ID is ready to use right away.
The administrator can assign the ID to the user both in the plugin backend and the Bitbucket user management interface.

Option 1: Assign ID via Bitbucket Backend > User management


Option 2: Assign ID via Bitbucket user management > users > select individual user

Overview – user point of view

2.

If you created a new SecSign ID for the user, he has to activate it in his app before he can use it. First, he needs to download the app from the app store (download links are provided for him during his next login). He can then activate his ID in his app by following the steps of the QR Code procedure, after successfully authenticating with his user name and password.

3.

After authenticating with his user name and password the user is presented with the download links for the SecSign ID app and the QR code to activate his in ID in the app. To activate his ID he simply has to scan the QR code (iOS users can use the default photo app). If a user prefers to use the Desktop app (for OSX, Windows 7 or Windows 10), he can type in the activation code to activate his ID in the app.
The ID is ready to use right away and the user can start using the 2FA with his next login.



4.

After downloading the SecSign ID app the user selects the option “Start QR code pairing” on the first screen. iOS users can simply use their default photo app.

To ensure advanced security you can initiate an additional Email code sent to the Email address associated with the Atlassian account of the user. The user has to provide this code to activate the 2FA for his account. You can activate this option in the plugin settings.

5.

SecSign ID created successfully
To finalize the activation of the ID, the user has to authenticate with it once. This process starts automatically once the ID was activated in the app. After successfully authenticating with the new SecSign ID the user can now use the 2FA for every login.
The QR-code onboarding procedure is only necessary for the activation of the ID, not for all subsequent logins.



Login – User point of view

To access Bitbucket, the user needs to authenticate with the SecSign ID app and his ID. The first authentication automatically starts after the user activated his ID in the app.

1.

The user logs in with his user name and password, just like he is used to.

2.

An access symbol is displayed to the user on the screen.

3.

He selects the respective symbol in his app to verify the login.


For subsequent logins, the user can use the two-factor authentication.

Administrator-led: Enter existing ID

Overview – administrator point of view

1.

If the user already created a SecSign ID in his SecSign ID app, you can add it here. Navigate to the Bitbucket backend > user management > individual user. Each individual user has an option to add an ID to his user profile (the user name that was created in the SecSign ID). This ID can be edited via the editing button. You can access this option both via the user management and the tab “users”.

The ID can be used for authentication right after you added it to the user account.

You can also choose this option to change an ID, for example to add a individual ID instead of the automatically chosen one. Please note that you need to create the ID in the app first before adding it here.

Login – User point of view

To access Bitbucket, the user needs to authenticate with the SecSign ID app and his ID. The first authentication automatically starts after the user activated his ID in the app.

1.

The user logs in with his user name and password, just like he is used to.

2.

An access symbol is displayed to the user on the screen.

3.

He selects the respective symbol in his app to verify the login.


You can assign one or several SecSign IDs to any user. These IDs can be used to authenticate the Bitbucket login.
Several IDs need to be divided by a comma. Assigning several IDs to one user can make sense if one user is for example a company account rather than an individual user. By assigning several IDs, several users can access this account protected with 2FA.

An overview of all users and their assigned SecSign IDs is available in the user management backend, organized by the groups the users are assigned to (for example Bitbucket-administrator, Bitbucket-user)

Create a new user in Bitbucket


When creating a new user the administrator has the option to add a SecSign ID right away. A complete overview of the individual options on how to add an ID to an user are explained in the chapter “Assign individual IDs “

There are three options after creating a new user:
1. SecSign ID should match the user name/ SecSign ID should match the email address

Based on the settings of the plugin the ID of the user will be predefined with either one option (email address or user name). During the first login to Bitbucket the user will be presented with the QR-code onboarding option to download the SecSign ID app and activate his ID.

Overview – administrator point of view

1.

The administrator chooses a pattern for the users SecSign ID, for example based on the user name or email address of the user.

Overview – user point of view

2.

During the first login the user is presented with the QR-code onboarding screen with links to download the SecSign ID app as well as the QR-code to scan with the app. If the user prefers to use the Desktop app he can simply type in the activation code to activate his ID in the app.

2. User can choose his own individual SecSign ID

If you activated the option “Add own ID”, the user can choose his own individual ID during his first login.

Overview – administrator point of view

1.

The administrator activates the option “user can choose his own ID” during the generation of the user.

1. (Alternative)

Alternatively, the administrator can invite the user to Bitbucket via his email address. The user will be presented with the option to choose his own individual ID here as well.

Overview – user point of view

2.

The user accepts the invite via the link in the Email and is automatically directed to the Bitbucket login screen to select a password. After he chose a password he is directed to the Bitbucket login to log in for the first time. After a successful authentication with user name and password he is then directed to the SecSign ID ID assignment page, where he can add his SecSign ID. He can either enter his ID that he already created in the SecSign ID app (existing SecSign ID), or choose a new ID. If the user chooses a new ID he is automatically directed to the QR-Code procedure to create his new SecSign ID and activate it in his app.

2. (Alternative)

If the administrator invited the user via his Email address the user is automatically directed to the registration screen via the link in the Email. Part of this registration process is choosing the SecSign ID. He can either enter his ID that he already created in the SecSign ID app (existing SecSign ID), or choose a new ID. If the user chooses a new ID he is automatically directed to the QR-Code procedure to create his new SecSign ID and activate it in his app.

3.Using an existing ID

If the user already created a SecSign ID, you can add it here. The user can then use it for the next authentication right away.

Overview – administrator point of view

1.

The administrator selects “”user already created his own ID”” when creating the user.

Overview – user point of view

2.

The user can authenticate with his in the SecSign ID app created ID.

Option 3: Rollout for Atlassian Crowd Setup

If you are already using Atlassian crowd you can enroll your users either with the individual user sign-up (Option 2) or with your custom two-factor authentication app. Crowd then offers the option to activate 2FA for all connected services (for example JIRA, Confluence, Bamboo,…) at once.

With Crowd and the SecSign ID Crowd Plugin you can define the enrollment and 2FA activation procedure for all users and services in one setting. Define the user name and enrollment procedure with the Crowd Plugin settings, and your users can use 2FA with all connected services at once.

Important: To activate this option, you need to download and integrate the SecSign ID Add-ons for the respective services. For more information about the Atlassian Crowd integration and installation please refer to the Crowd Tutorial.
How to use Crowd with an existing SecSign ID Bitbucket installation is described in the chapter Atlassian Crowd.

SecSign also offers solutions for complex setups and special cases, for example setups with users managed both in Crowd and other services, for example internal Bitbucket users. Please contact us for a detailed evaluation of your setup and more information.

Contact

Option 4: Rollout for external users that are not managed in your internal Bitbucket user management system

If you users are already registered in your Atlassian system (JIRA, Confluence, Crowd, Bitbucket oder other) you can roll out 2FA via the administrator and manage in the individual Atlassian user management.

If your users are not yet registered in your Atlassian System you can offer them a convenient rollout experience with the QR Code procedure or the SecSign ID Custom app in combination with the on-premise setup.

We offer individualized and custom solution for complex setups and special requirements. Please contact us for a detailed evaluation of your setup and more information.

Contact

Option 5: Rollout for users managed in your Active Directory

The easiest way to activate the two-factor authentication for the users managed in your Active Directory is a link from your user management system to the SecSign ID on-premise server with the custom ID app. With this option the user can log in with his credentials (like usual), enters his SecSign ID and is automatically activated for the 2FA. This option does also include Crowd and users managed via Crowd. More information about 2FA for Crowd setups can be found in the chapter “Crowd”.

You can extend the 2FA protection for users managed in your Active Directory for numerous other access points, for example VPNs, portals and more. Additionally, we offer the option to use custom plugins, ADFS or SAML for Atlassian Cloud services as well as SAML for Atlassian on-premise service (if all users are using the same Email domain, for example @yourcompany.com).

Please contact us for a detailed evaluation of your setup and more information.
Contact

Plugin settings

Options for plugin settings

Options for the authentication


You can choose between two methods of authentication

Two-Step Authentication

With the two-step authentication (2SA) you have an additional layer of security by adding an additional step to the authentication procedure. If the option for 2SA is activated the user needs to authenticate with his user name and password before he is presented with the SecSign ID two-factor authentication.

Overview – administrator point of view

1.

You can activate the two-step authentication in the Bitbucket Backend. The option “No 2FA necessary” defines if the user needs to authenticate with a two-factor authentication or if an authentication with only the user name and password is sufficient.
If you activate this option the user only needs to authenticate with his user name and password (no 2FA or 2SA). This will give you the option to offer users with limited access rights a simple login. For users with extensive access rights (for example administrative accounts) you should deactivate this option to provide the accounts with the optimal protection. If the option is deactivated they will need to log in with their user name and password and then authenticate with the SecSign ID 2FA to access their account.


Overview – user point of view

2.

The user logs in with his user name and password like he is used to.

3.

The user receives a push notification to the device he installed the SecSign ID app on and confirms the login via the app. He can not authenticate via the two-factor authentication before verifying his identity with his user name and password first.

Two-Factor Authentication

With the two-factor authentication the user is presented with the SecSign ID login when he tries to access his Bitbucket account. He needs to enter his SecSign ID and authenticate via the SecSign ID app to access Bitbucket.

Overview – administrator point of view

1.

You can activate the two-factor authentication via the Bitbucket backend. The option “show login with user name and password” decides if the user can still user the user name and password login as an option (without 2FA).
If you activate this option the user only needs to authenticate with his user name and password (no 2FA or 2SA). This will give you the option to offer users with limited access rights a simple login. For users with extensive access rights (for example administrative accounts) you should deactivate this option to provide the accounts with the optimal protection. If the option is deactivated they will need to log in with their user name and password and then authenticate with the SecSign ID 2FA to access their account.


Overview – user point of view

2.

The user can now authenticate with the SecSign ID that is linked to his account and the app (see Rollout for more information)


Optional: Show Login with user name and password

You have the option to allow a user name/password login without 2FA. If you activate this option the login screen will show a button that allows the user to switch to the simple user name and password login.
You can activate and deactivate this option for each user individually to manage access protection via 2FA finely granular.

Login without Access Pass


Login with or without Access Pass

The two-factor authentication for Bitbucket can be implemented both with and without presenting an access pass to the user. If no access pass is shown the user can verify (or deny) a login via the app without the need to verify an access pass.

Overview – administrator point of view



this option can only be activated if the two-step authentication (user name and password login followed by a two-factor authentication) is enabled.

Overview – user point of view


Authenticate with Email OTP (one-time password)

An alternative for users that can’t use the mobile app or desktop app, you can offer an email OTP option to verify their login with an OTP sent to their with Bitbucket connected Email address. We recommend using this option only in cases that don’t give the option to use either the mobile or desktop app due to the associated risks when using OTP. An overview about why OTP are less secure than the SecSign ID App can be found here.

Overview – administrator point of view



Overview – user point of view

The user is sent an OTP code to his with Bitbucket associated Email address. He can use this OTP to log in to Bitbucket. This option only works with a two-step authentication activated. The user has to provide user name and password to initiate the OTP delivery.

User settings


Change own ID
If this option is activated the user can change his own ID independently. If he wants to create a new SecSign ID and use it, he can do so after logging into Bitbucket via his profile. The administrator can deactivate this option. If the option is deactivated the user needs to request an ID change with the administrator.

We recommend deactivating this option for security reasons, or activate it in combination with additional activation and security steps.

Option to add ID
This option simplifies the user onboarding procedure.
If the option is activated the user will be presented with the choice to add his own SecSign ID after authenticating via user name and password for accounts that do not yet have a SecSign ID assigned to. That way the user can add his own ID or create an individual ID without any additional steps required by the administrator

For more information please refer to the chapter Rollout: User-led onboarding.

Custom Login Design

You have the option to match the SecSign ID login colors to your company colors. If you activate this option you can choose a background color with a hexadecimal RGB-value.

With the SecSign ID on-premise setup you have additional options to customize the login, for example with your company logo. Contact us for more information about the on-premise setup and customized login for your users

Contact


Session timeout

You can set a time for which the session is valid, for example 15 for 15 minutes. If you don’t want the session to expire, set the value to 0.

In case SSO is activated this option is not valid and needs to be set in the SSO system (for example Crowd). For session timeouts in Crowd you need to set the time in the Crowd settings.

DMZ without 2FA

Most on-premise Atlassian services like JIRA and Confluence use internal networks for the internal access to the service. Those networks are normally not accessible for external access and only enabled users already authenticated via the company network access.

For these setups you can activate the IP SafeZone option to define a secure IP-zone. Within this IP-zone the user only needs to authenticate with his user name and password, not with a two-factor authentication. For all users outside of the IP-Zone (for example in a Home Office) the two-factor (or two-step) authentication is required for all logins to add a layer of security.

Crowd

Atlassian Crowd offers a convenient user management system including SSO for all Atlassian products. A user successfully authenticated for Bitbucket is automatically logged in to all other connected services, for example Bitbucket, Confluence, Bamboo and other.

The SecSign ID plugin adds a secure two-factor authentication to the Crowd SSO login.

Activate “Synchronizable IDs” and save the settings to import the SecSign IDs from the Crowd system. If you are using a crowd directory for your users and already linked the SecSign IDs to the user accounts via the Crowd plugin, they are imported when this option is activated and can be used for the Bitbucket login as well.

If you want to allow editing the IDs from Bitbucket and make those changes available in all connected services, you can activate the option “Write in directories”. Any changes to a SecSign ID via Bitbucket is automatically passed on to Crowd and all other connected services.

SecSign ID Server

The option “Company name” lets you add your company name. It is for example used during the administrator-led SecSign ID batch registration.
The option “Service name” lets you add your service name to be displayed at several points during the login to let the user identify the authentication.

On-premise SecSign Server

If you are using an on-premise SecSign ID server you can add it here. Add the server address at “SecSign ID server”. The option “Fallback SecSign ID server” lets you add a fall back server to be used when the first server fails. This server should have activated the IDs for at least some administrators to ensure uninterrupted access to your system.

More information about the advantages of using a SecSign ID on-premise server are available in the chapter
“SecSign ID on-premise Server”.

Create an user

You can choose your preferred method of creating SecSign IDs for new users. Detailed information about the rollout can be found in the chapter “Activate 2FA for individual users” and “Activate 2FA for user group batches”

You can choose between:
1. Using the user name to create a SecSign ID

If you choose this option the SecSign ID is created from the respective user name followed by your company name that you can edit via the option “SecSign ID server” (“@yourcompany”).
For a user with for example the user name “jdoe” a SecSign ID “jdoe@yourcompany” will be created.

2. Use the email address to create a SecSign ID

If you choose this option the SecSign ID is created from the respective email address. This option makes sense if all users are using a company email address, so each SecSign ID is distinctively identifiable

HTTP-Auth

You can choose to prevent access to Bitbucket via HTTP-Basic Auth, for example via REST API access that only requires a user name and password. If you activate this option you add an additional layer of security and prevent access to your system via a loophole.


If you have additional requirements, for example access to specific IP-addresses to Bitbucket via Basic-Auth you can contact us for a customized offer.

Contact

Support Options

If you are running into issues during the setup of the plugin, you have the option to either reset all settings, or to send an error log to the SecSign ID support team.

We advise you to contact the SecSign ID support team before resetting all information.

QR-Code

One option to securely and conveniently enroll your users is the QR-code procedure. More information about your options for enrollment can be found in the chapter “2FA Rollout and Activation”.
For the QR-code procedure you can choose the level of security in compliance with your requirements. Your users may only scan the QR-code and use the 2FA right away, or they may have to enter an additional security code sent to their Bitbucket account Email address.

Please note that IDs are automatically created on the server if you choose the QR-code Activation with additional Email-Code verification for the batch rollout. When choosing a pattern for the IDs for one group, all IDs are automatically and immediately created on the server upon verification of the administrator. If the administrator chooses the QR-code activation without additional verification via Email code, the IDs are only created once the user activates them in the app via the QR-code procedure. In that case the IDs are reserved in Bitbucket and not activated on the server until the user activates them in the app.

Git Client Access

In addition to the browser access to Bitbucket you can also use a Git client application like SourceTree to access Git repositories. This access can be protected by two-factor-authentication with the SecSign ID mobile app in addition to the password.

If you activate this setting in the options, a push notification is sent to your mobile device when you try to access a Git repository. You will have to confirm access of the Git client with the SecSign ID mobile app.

Please note: Currently only Git clients using HTTP-basic-auth are protected by 2FA. SSH access is not restricted. Also be aware that Git clients won’t show a message to the user about the ongoing SecSign ID authentication. So they must know to look at their mobile phone in order to confirm the authentication process.

Read access to the Git repository is not protected with 2FA by default. Many Git clients like SourceTree will read the status of the repository in the background to show a notification about new commits to the user. That would result in authentication requests in the SecSign ID mobile app every 10 minutes. If you also want to protect the read access to the Git repository you can configure a time in which subsequent Git requests are allowed without a new 2FA.

An authentication is required for every access with a Git client by default. If you activate the read command protection it’s reasonable to increase this timespan to a workday, for example up to 12 hours. Alternatively, the users can also deactivate the background updates in their Git clients.

You can set user groups that require 2FA for Git client access. If you don’t specify any group, all users are required to perform a 2FA in order to receive access. You can also configure if users without assigned SecSign ID are allowed to access Git with just their password or if they are blocked out completely. It’s also possible to activate the IPSafeZone feature for the Git access, which allow users from specified IP ranges to access the repositories without 2fa.

Synchronization / Crowd

Synchronization / Crowd

Synchronization of Atlassian product mapping.
To manage mappings in Crowd and all connected systems efficiently, it is important to edit the settings accordingly. To use the synchronization and SSO your Crowd needs to be set up accordingly and all services need to be connected to it.

Bitbucket offers the Option “Synchronizeable IDs”. If this option is activated, the mappings are no longer saved locally in Bitbucket but in Crowd and the embedded versions are saved in the applications as user attributes.

That way the Crowd directory mappings are synchronized with other applications and can be used there accordingly. This saves time and money for the administrator and enabled the use of the SSO with the SecSign ID two-factor authentication.

When the user is successfully authenticated with Bitbucket he is automatically logged in to other connected services, for example Bamboo, Confluence, Bitbucket or other, that have the SSO activated. It is still possible to create local Bitbucket users and add their IDs only to be used in Bitbucket.

If you want to enable adding and editing IDs in Bitbucket, please activate the option “Write in directories”. This will enable mappings in Bitbucket and make edits accessible in Crowd and all other connected applications. This option can only be activated if Bitbucket has rights to modify user attributes in Crowd. If Bitbucket does not have those rights, there will be an error displayed when you are trying to edit the mappings.

All other access rights are not necessary and can be edited based on your requirements. It is also not required for the Crowd Directory to have edit rights in Bitbucket since the access to the attributes is separate.

On-premise SecSign ID Server

On-premise SecSign-Server

Strengthen your security with an on-premise SecSign ID two-factor authentication. With the SecSign ID on-premise setup you have all 2FA components on your premise – no exceptions.

  • Combine excellent security with extensive and customized settings.
  • Customizable login and rollout options for your users and administrators
  • Extensive options for audits, endpoint monitoring, user and access security
  • Protection as strong as you need it – no exceptions. Secure all access points, including VPN, Web, Desktop and other.
  • Integrate the 2FA in existing apps or get a customized SecSign YourCompany ID app – Custom built for your requirements.
  • Keep control over all aspects – all files, update security, authentication process and administration.
  • SecSign plugins can easily be managed with minimal maintenance. Classic problems you may encounter have a ready-to-use solution with no additional administrative actions required. For example: Loss of the device, changing out a device and more. With SecSign ID you can minimize administrative involvement, costs and frustrations.
On-premise solutions
2FA procedure

Two-Factor Authentication Procedure

Depending on the options you defined in the settings the two-factor authentication may look different for your users.

By default, the two-step authentication is activated. The user has to log in with his user name and password first and then authenticate with the SecSign ID two-factor authentication, if it is activated for him. To complete the two-factor authentication he is presented with an access pass, which he has to verify in the SecSign ID app. He is then authenticated and logged in to Bitbucket.

If you prefer the two-factor authentication over the two-step authentication, the user only needs to provide his SecSign ID to start the authentication. He is then presented the access pass, which he needs to verify in the SecSign ID app.

Two-Step Authentication with the SecSign ID

Trouble shooting

Trouble shooting

If you have problems with the SecSign plugin or if you lost your SecSign ID, you can remove the plugin manually.

For this, please search for the directory in which the add-on was installed. This would usually be

$bitbucket_INSTALL/atlassian-bitbucket/WEB-INF/lib/.

Alternatively, you can search for the SecSign ID plugin in the Bitbucket home directory:

user:bitbucket-home $ find . | grep -Ei "secsign.*.jar$"
./target/bitbucket/home/plugins/.osgi-plugins/transformed-plugins/secsignid-1.0_1444225075000.jar
./target/bitbucket/home/plugins/.osgi-plugins/transformed-plugins/secsignid-1.0_1444298712000.jar
./target/bitbucket/home/plugins/.osgi-plugins/transformed-plugins/secsignid-1.0_1444386226000.jar
./target/bitbucket/home/plugins/installed-plugins/secsignid-1.0.jar

Afterwards, please delete the respective jar and restart Bitbucket.

Your own ID-Server

On premise installations of SecSign ID offer the flexibility to connect with your preferred servers, services, and devices. And you can customize the SecSign ID with your own organization’s branding.

Learn More
On Premise 2FA ID

Latest Blog Posts, Updates & Features

SecSign ID Server passed FIDO Certification

We are happy to announce that the SecSign ID server has passed the official FIDO certification program of the FIDO Alliance. This will allow you to use the complete FIDO2/WebAuthn standard for passwordless 2FA sign-ins in your exi ...

Mehr Lesen

Two-Factor Authentication with Fido2 / WebAuth

The FIDO2 Project is a set of standards developed by the FIDO Alliance and the World Wide Web Consortium (W3C) to create a strong authentication protocol for the web. It consist mainly of the WebAuth standard for the browser part ...

Mehr Lesen

Protecting the Home Office VPN with 2FA

In the recent weeks, home office work has increased potentially. And while employees are practicing social distancing from their home computer, attackers are working hard to exploit security issues in this situation that is unfami ...

Mehr Lesen
SecSign 2FA