SecSign ID Plugin: Bamboo

Information for 2FA protection for Crowd Datacenter and SSO 2.0 setups is available here.

Bamboo is a continuous integration and continuous deployment server. It was developed by the company Atlassian. Bamboo has comprehensive features and a high adaptability. Thus, the functionality of Bamboo can be optionally expanded or adapted by using plugins (add-on’s).

SecSign ID is a plugin for real two-factor authentication (2FA) for Bamboo. 2FA adds another layer of security to your installation by using a second token. In this case the physical token is your smartphone.

If you need more information about two-factor authentication have a look at the Bamboo Marketplace or our Github site.

Questions? Please contact us, if you need further assistance installing the Bamboo Plugin or if you looking for a plugin for other environments.

Contact

SecSign ID Plugins are adaptable to your setup and requirements, making them the leader in modern multi-factor authentication. From Design, Rollout to Authentication method, you can customize the authentication experience based on your security requirements and user behavior.

FIRST STEPS: Bamboo SETUP

Bamboo has to be set up before installing the plugin.

Please read the Bamboo Installation and Setup Tutorial if you need to set up Bamboo.

Due to the universal plugin manager by Atlasssian the installation of the plugin is very simple.

1. Log into your Bamboo system as administrator
2. Go to the administration of the add-ons via the administration menu
3. Search for ’SecSign Bamboo’ and click on ‘Install’

Another option is the download of the SecSign ID plugin from Atlasssian Marketplace. For installation you can upload the plugin into Bamboo.

Just go to administration of the add-on’s on the administration menu and choose ‘Manage Add-Ons‘. At this point you can upload the SecSign ID plugin. In the add-on administration you have also the possibility to activate or deactivate the plugin.

After the installation of the plugin you can set up the installation and the first ID (2FA user name) by working through the Intro Tutorial that is automatically displayed on the first use of the plugin. A short tutorial on the individual steps of the introduction tutorial are available below.
If you already worked through the tutorial or if you want to skip the tutorial, you can go directly to the individual parts of this documentation.
You can access the intro tutorial at any time by navigating to the plugin main page and select “Replay intro”.

Intro – Setting up the first ID for the administrator

Every single Atlassian setup is different and each company has individual requirements. SecSign offers numerous options for 2FA rollout and onboarding for the users to support your requirements ideally. All options are available to choose from in the SecSign ID plugin settings backend.

The first parts of this chapter cover the 2FA rollout for existing Bamboo users. To activate 2FA when creating a new user, please navigate to “Create new user”.

If you have additional requirements that are not covered with the default settings, or if you have any questions, please contact us for a personalized consultation.

Contact

2FA Batch Rollout for high user volumes (most popular option)

The easiest method to activate 2FA for a setup is the 2FA activation for individual groups. This option activates 2FA for entire groups at once. You can either have the administrator choose the ID (2FA app user name) pattern for a consistent ID pattern for all users (for example johnsmith@yourcompany), or the user choose his ID individually.

Activate 2FA for entire user groups in one step

Additional details about the 2FA activation for entire groups can be found in the chapter “Batch-Rollout”.

Administrator-led: Batch-Rollout with predefined pattern for user groups

Overview – Administrative point of view

Overview – User point of view

For subsequent logins, the user can use the two-factor authentication.

Detailed information

One option to roll out 2FA for your user groups is to define the ID patter (user name in the app) by the administrator. He can choose the pattern and thus, define the user name for every user in that group, in one simple step.
One example is the rollout for all users in the administrator group to receive an ID with the suffix „-admin@yourcompany“. By defining the pattern „%username%-admin@yourcompany“, the administrator predefines the ID for every single administrator in one step, without the need for additional steps in the individual user accounts. The individual IDs are automatically created and added to the individual accounts in the group.

The users in the group are then presented with the QR-code pairing option during their next login. They can download the SecSign ID app and add the ID to it by following the steps of the QR-code procedure. Activating the ID in the app is as simple as scanning the QR code (for iOS users scanning the QR code with the photo app is sufficient). After activating their ID on their app they can start using it right away.

If your users already created an ID in the app you can add them and select “Save”. That way the IDs are not created but only linked to the individual user account.

User led: Batch-Rollout with unrestricted user ID selection

Overview – Administrator point of view

For subsequent logins, the user can use the two-factor authentication.

Detailed information

You can offer your users an unrestricted choice of their ID (user name in the SecSign ID 2FA app) during their next login.

Option 1: The user has not yet created an SecSign ID (user name in the 2FA app)

The user is presented with the option to create an ID for the SecSign ID app. To create the ID he enters it in the respective entry field. If the ID is still available, he is presented with the QR code to activate the ID, as well as download links for the app on the different platforms (iOS, Android,…). He can then download the app and scan the QR code with his phone (for iOS he can use the default photo app, or the SecSign ID app). By scanning the QR code his new ID is automatically created in his app. He can then start using the two-factor authentication right away without additional assistance required by the administrator.

Option 2: The user already created a SecSign ID

If the user already created a SecSign ID (2FA user name) in the SecSign ID app and wants to use this ID, he can select “I already have a SecSign ID”. This option will allow him to add his existing ID to his account. He can then use this ID right away to authenticate, without additional assistance required by the administrator.

Assign individual IDs via Bamboo user management

SecSign offers alternative options for rollout, as well as individual customized solutions to fit your requirements. You can choose between batch enrollment, individual enrollment by the administrator as well as user-based sign-up.

A manual and individual enrollment is ideal for small user groups or to test the integration. To conveniently rollout 2FA in batch for larger groups, please refer to the chapter “22FA Batch Rollout for high user volumes”.

Administrator-led: Create a new SecSign ID for individual users

Overview – administrator point of view

Overview – user point of view

For subsequent logins, the user can use the two-factor authentication.

Administrator-led: Enter existing ID

Overview – administrator point of view

You can assign one or several SecSign IDs to any user. These IDs can be used to authenticate the Bamboo login.
Several IDs need to be divided by a comma. Assigning several IDs to one user can make sense if one user is for example a company account rather than an individual user. By assigning several IDs, several users can access this account protected with 2FA.

An overview of all users and their assigned SecSign IDs is available in the user management backend, organized by the groups the users are assigned to (for example Bamboo-administrator, Bamboo-user)

Create a new user in Bamboo

When creating a new user the administrator has the option to add a SecSign ID right away. A complete overview of the individual options on how to add an ID to an user are explained in the chapter “Assign individual IDs “

There are three options after creating a new user:
1. SecSign ID should match the user name/ SecSign ID should match the email address

Based on the settings of the plugin the ID of the user will be predefined with either one option (email address or user name). During the first login to Bamboo the user will be presented with the QR-code onboarding option to download the SecSign ID app and activate his ID.

Overview – administrator point of view

Overview – user point of view

2. User can choose his own individual SecSign ID

If you activated the option “Add own ID”, the user can choose his own individual ID during his first login.

Overview – administrator point of view

Overview – user point of view

3.Using an existing ID

If the user already created a SecSign ID, you can add it here. The user can then use it for the next authentication right away.

Overview – administrator point of view

Overview – user point of view

Option 3: Rollout for Atlassian Crowd Setup

If you are already using Atlassian crowd you can enroll your users either with the individual user sign-up (Option 2) or with your custom two-factor authentication app. Crowd then offers the option to activate 2FA for all connected services (for example JIRA, Confluence, Bamboo,…) at once.

With Crowd and the SecSign ID Crowd Plugin you can define the enrollment and 2FA activation procedure for all users and services in one setting. Define the user name and enrollment procedure with the Crowd Plugin settings, and your users can use 2FA with all connected services at once.

Important: To activate this option, you need to download and integrate the SecSign ID Add-ons for the respective services. For more information about the Atlassian Crowd integration and installation please refer to the Crowd Tutorial.
How to use Crowd with an existing SecSign ID Bamboo installation is described in the chapter Atlassian Crowd.

SecSign also offers solutions for complex setups and special cases, for example setups with users managed both in Crowd and other services, for example internal Bamboo users. Please contact us for a detailed evaluation of your setup and more information.

Contact

Option 4: Rollout for external users that are not managed in your internal Bamboo user management system

If you users are already registered in your Atlassian system (JIRA, Confluence, Crowd, Bamboo oder other) you can roll out 2FA via the administrator and manage in the individual Atlassian user management.

If your users are not yet registered in your Atlassian System you can offer them a convenient rollout experience with the QR Code procedure or the SecSign ID Custom app in combination with the on-premise setup.

We offer individualized and custom solution for complex setups and special requirements. Please contact us for a detailed evaluation of your setup and more information.

Contact

Option 5: Rollout for users managed in your Active Directory

The easiest way to activate the two-factor authentication for the users managed in your Active Directory is a link from your user management system to the SecSign ID on-premise server with the custom ID app. With this option the user can log in with his credentials (like usual), enters his SecSign ID and is automatically activated for the 2FA. This option does also include Crowd and users managed via Crowd. More information about 2FA for Crowd setups can be found in the chapter “Crowd”.

You can extend the 2FA protection for users managed in your Active Directory for numerous other access points, for example VPNs, portals and more. Additionally, we offer the option to use custom plugins, ADFS or SAML for Atlassian Cloud services as well as SAML for Atlassian on-premise service (if all users are using the same Email domain, for example @yourcompany.com).

Please contact us for a detailed evaluation of your setup and more information.
Contact

Options for the authentication

You can choose between two methods of authentication

Two-Step Authentication

With the two-step authentication (2SA) you have an additional layer of security by adding an additional step to the authentication procedure. If the option for 2SA is activated the user needs to authenticate with his user name and password before he is presented with the SecSign ID two-factor authentication. Only if the user successfully authenticated with his user name and password he can authenticate via the two-factor authentication.

Overview – administrator point of view

Overview – user point of view

Two-Factor Authentication

With the two-factor authentication the user is presented with the SecSign ID login when he tries to access his Bamboo account. He needs to enter his SecSign ID and authenticate via the SecSign ID app to access Bamboo.

Overview – administrator point of view

Overview – user point of view

Optional: Show Login with user name and password

You have the option to allow a user name/password login without 2FA. If you activate this option the login screen will show a button that allows the user to switch to the simple user name and password login.
You can activate and deactivate this option for each user individually to manage access protection via 2FA finely granular.

Login without Access Pass

Login with or without Access Pass

The two-factor authentication for Bamboo can be implemented both with and without presenting an access pass to the user. If no access pass is shown the user can verify (or deny) a login via the app without the need to verify an access pass.

Overview – administrator point of view

this option can only be activated if the two-step authentication (user name and password login followed by a two-factor authentication) is enabled.

Overview – user point of view

Authenticate with Email OTP

An alternative for users that can’t use the mobile app or desktop app, you can offer an email OTP option to verify their login with an OTP sent to their with Bamboo connected Email address. We recommend using this option only in cases that don’t give the option to use either the mobile or desktop app due to the associated risks when using OTP. An overview about why OTP are less secure than the SecSign ID App can be found here.

Overview – administrator point of view

Overview – user point of view

User settings

Change own ID
If this option is activated the user can change his own ID independently. If he wants to create a new SecSign ID and use it, he can do so after logging into Bamboo via his profile. The administrator can deactivate this option. If the option is deactivated the user needs to request an ID change with the administrator.

We recommend deactivating this option for security reasons, or activate it in combination with additional activation and security steps./p>
Option to add ID
This option simplifies the user onboarding procedure.
If the option is activated the user will be presented with the choice to add his own SecSign ID after authenticating via user name and password for accounts that do not yet have a SecSign ID assigned to. That way the user can add his own ID or create an individual ID without any additional steps required by the administrator

For more information please refer to the chapter Rollout: User-led onboarding.

Custom Login Design

You have the option to match the SecSign ID login colors to your company colors. If you activate this option you can choose a background color with a hexadecimal RGB-value.

With the SecSign ID on-premise setup you have additional options to customize the login, for example with your company logo. Contact us for more information about the on-premise setup and customized login for your users

Contact

Session timeout

You can set a time for which the session is valid, for example 15 for 15 minutes. If you don’t want the session to expire, set the value to 0.

In case SSO is activated this option is not valid and needs to be set in the SSO system (for example Crowd). For session timeouts in Crowd you need to set the time in the Crowd settings.

DMZ without 2FA

Most on-premise Atlassian services like JIRA and Confluence use internal networks for the internal access to the service. Those networks are normally not accessible for external access and only enabled users already authenticated via the company network access.

For these setups you can activate the IP SafeZone option to define a secure IP-zone. Within this IP-zone the user only needs to authenticate with his user name and password, not with a two-factor authentication. For all users outside of the IP-Zone (for example in a Home Office) the two-factor (or two-step) authentication is required for all logins to add a layer of security.

Crowd

Atlassian Crowd offers a convenient user management system including SSO for all Atlassian products. A user successfully authenticated for Bamboo is automatically logged in to all other connected services, for example Bitbucket, Confluence, Bamboo and other.

The SecSign ID plugin adds a secure two-factor authentication to the Crowd SSO login.

Activate “Synchronizable IDs” and save the settings to import the SecSign IDs from the Crowd system. If you are using a crowd directory for your users and already linked the SecSign IDs to the user accounts via the Crowd plugin, they are imported when this option is activated and can be used for the Bamboo login as well.

If you want to allow editing the IDs from Bamboo and make those changes available in all connected services, you can activate the option “Write in directories”. Any changes to a SecSign ID via Bamboo is automatically passed on to Crowd and all other connected services.

SecSign ID Server

The option “Company name” lets you add your company name. It is for example used during the administrator-led SecSign ID batch registration.
Die Einstellung „Firmenname“ erlaubt Ihnen Ihren Firmennamen einzugeben.
The option “Service name” lets you add your service name to be displayed at several points during the login to let the user identify the authentication.

On-premise SecSign Server

If you are using an on-premise SecSign ID server you can add it here. Add the server address at “SecSign ID server”. The option “Fallback SecSign ID server” lets you add a fall back server to be used when the first server fails. This server should have activated the IDs for at least some administrators to ensure uninterrupted access to your system.

More information about the advantages of using a SecSign ID on-premise server are available in the chapter
“SecSign ID on-premise Server”.

Create an user

You can choose your preferred method of creating SecSign IDs for new users. Detailed information about the rollout can be found in the chapter “Activate 2FA for individual users” and “Activate 2FA for user group batches”

You can choose between:
1. Using the user name to create a SecSign ID

If you choose this option the SecSign ID is created from the respective user name followed by your company name that you can edit via the option “SecSign ID server” (“@yourcompany”).
For a user with for example the user name “jdoe” a SecSign ID “jdoe@yourcompany” will be created.

2. Use the email address to create a SecSign ID

If you choose this option the SecSign ID is created from the respective email address. This option makes sense if all users are using a company email address, so each SecSign ID is distinctively identifiable

HTTP-Auth

You can choose to prevent access to Bamboo via HTTP-Basic Auth, for example via REST API access that only requires a user name and password. If you activate this option you add an additional layer of security and prevent access to your system via a loophole.

If you have additional requirements, for example access to specific IP-addresses to Bamboo via Basic-Auth you can contact us for a customized offer.

Contact

Support Options

If you are running into issues during the setup of the plugin, you have the option to either reset all settings, or to send an error log to the SecSign ID support team.

We advise you to contact the SecSign ID support team before resetting all information.

QR-Code

One option to securely and conveniently enroll your users is the QR-code procedure. More information about your options for enrollment can be found in the chapter “2FA Rollout and Activation”.
For the QR-code procedure you can choose the level of security in compliance with your requirements. Your users may only scan the QR-code and use the 2FA right away, or they may have to enter an additional security code sent to their Bamboo account Email address.

Please note that IDs are automatically created on the server if you choose the QR-code Activation with additional Email-Code verification for the batch rollout. When choosing a pattern for the IDs for one group, all IDs are automatically and immediately created on the server upon verification of the administrator. If the administrator chooses the QR-code activation without additional verification via Email code, the IDs are only created once the user activates them in the app via the QR-code procedure. In that case the IDs are reserved in Bamboo and not activated on the server until the user activates them in the app.

Synchronization of Atlassian product mapping.
To manage mappings in Crowd and all connected systems efficiently, it is important to edit the settings accordingly. To use the synchronization and SSO your Crowd needs to be set up accordingly and all services need to be connected to it.

Bamboo offers the Option “Synchronizeable IDs”. If this option is activated, the mappings are no longer saved locally in Bamboo but in Crowd and the embedded versions are saved in the applications as user attributes.

That way the Crowd directory mappings are synchronized with other applications and can be used there accordingly. This saves time and money for the administrator and enabled the use of the SSO with the SecSign ID two-factor authentication.

When the user is successfully authenticated with Bamboo he is automatically logged in to other connected services, for example JIRA, Confluence, Bamboo or other, that hav the SSO activated. It is still possible to create local Bamboo users and add their IDs only to be used in Bamboo.

If you want to enable adding and editing IDs in Bamboo, please activate the option “Write in directories”. This will enable mappings in Bamboo and make edits accessible in Crowd and all other connected applications. This option can only be activated if Bamboo has rights to modify user attributes in Crowd. If Bamboo does not have those rights, there will be an error displayed when you are trying to edit the mappings.

All other access rights are not necessary and can be edited based on your requirements. It is also not required for the Crowd Directory to have edit rights in Bamboo since the access to the attributes is separate.

Strengthen your security with an on-premise SecSign ID two-factor authentication. With the SecSign ID on-premise setup you have all 2FA components on your premise – no exceptions.

• Combine excellent security with extensive and customized settings.
• Customizable login and rollout options for your users and administrators
• Extensive options for audits, endpoint monitoring, user and access security
• Protection as strong as you need it – no exceptions. Secure all access points, including VPN, Web, Desktop and other.
• Integrate the 2FA in existing apps or get a customized SecSign YourCompany ID app – Custom built for your requirements.
• Keep control over all aspects – all files, update security, authentication process and administration.
• SecSign plugins can easily be managed with minimal maintenance. Classic problems you may encounter have a ready-to-use solution with no additional administrative actions required. For example: Loss of the device, changing out a device and more. With SecSign ID you can minimize administrative involvement, costs and frustrations.

On-premise solutions

Depending on the options you defined in the settings the two-factor authentication may look different for your users.

By default, the two-step authentication is activated. The user has to log in with his user name and password first and then authenticate with the SecSign ID two-factor authentication, if it is activated for him. To complete the two-factor authentication he is presented with an access pass, which he has to verify in the SecSign ID app. He is then authenticated and logged in to Bamboo.

If you prefer the two-factor authentication over the two-step authentication, the user only needs to provide his SecSign ID to start the authentication. He is then presented the access pass, which he needs to verify in the SecSign ID app.

Two-Step Authentication with the SecSign ID
Two-Step Authentication with the SecSign ID

If you have problems with the SecSign plugin or if you lost your SecSign ID, you can remove the plugin manually.

For this, please search for the directory in which the add-on was installed. This would usually be

$bamboo_INSTALL/atlassian-bamboo/WEB-INF/lib/.

Alternatively, you can search for the SecSign ID plugin in the Bamboo home directory:

user:bamboo-home $ find . | grep -Ei "secsign.*.jar$"
./target/bamboo/home/plugins/.osgi-plugins/transformed-plugins/secsignid-1.0_1444225075000.jar
./target/bamboo/home/plugins/.osgi-plugins/transformed-plugins/secsignid-1.0_1444298712000.jar
./target/bamboo/home/plugins/.osgi-plugins/transformed-plugins/secsignid-1.0_1444386226000.jar
./target/bamboo/home/plugins/installed-plugins/secsignid-1.0.jar

Afterwards, please delete the respective jar and restart Bamboo.