SSO Setup with Crowd

09/21/2017 / 0 Comments

Content

  1. Pre-requirements
  2. Setup and configuration of the components as a server application
  3. Configuration of Crowd for the centrally organized user management
  4. Configure application (for example JIRA) to be used with Crowd
  5. Single-Sign-On Setup
  6. Add SecSign
  7. Special cases


The SecSign ID Crowd Plugin can be integrated in just a few steps. For more information about the plugin and the integration please refer to the following pages.

Do you have any questions? Don’t hesitate to contact us.


Setup for a centrally organized user management system with Atlassian products and SecSign (optionally with SSO)

A centrally organized user management in Crowd as well as SSO is possible for all Atlassian products. A successful login at for example JIRA authenticates the user for other Atlassian products, for example Crowd, Confluence, Bamboo or more. The SecSign ID plugin adds two-factor authentication to the SSO login to secure the authentication (see step 5).

The following tutorial provides a step-by-step instruction on how to setup the user management system and SSO with two-factor authentication.
Steps can be skipped if they were already setup previously. At the end of this tutorial you can find a list of setup steps based on previously installed components.

Pre-requirements

To use Atlassian products with a centrally organized user management system all components, for example JIRA, Confluence, Bamboo, need to communicate with the server that has the Crowd-Server installed. Also, Proxy-server and firewalls need to be adjusted accordingly.

To manage the individual Atlassian logins with Crowd, the SecSign ID Plugin for each service, for example JIRA or Confluence, need to be installed first. An overview of the available SecSign ID Plugins for Atlassian is available on the Atlassian overview page.

Atlassian Overview

All components need to be located in the same domain to be able to use the SSO since the SSO is realized by using cookies. The access to the cookies is restricted to one domain and cookies outside of that domain can’t be accessed.

The following configurations are two examples that can be used:

Crowd crowd.mydomain.de
JIRA jira.mydomain.de
Confluence confluence.mydomain.de
Crowd www.mydomain.de/crowd
JIRA www.mydomain.de/jira
Confluence www.mydomain.de/confluence

1. Setup and configuration of the components as a server application

To be able to connect the components they have to be installed individually. The installation can be completed without specific requirements based on the settings of the install wizard.

The individual components can be accessed here:

2. Configuration of Crowd for the centrally organized user management

Depending on the configuration a user directory that should be used from the other applications may already be generated. We are referring to that directory as “central directory”. The following step describes the generation of such “central directory” if it wasn’t created yet. This step may be skipped if a “central directory” was already created.

2.1 Creating a “central directory”

Open the Crowd-console by providing the crowd-server address. Login with you administrator account.
Select “Directories” in the top navigation bar.

Select “Add Directory” in the left menu to start the process of adding user directory.
There are several options of adding a user directory. This guide is focusing on adding an internal crowd directory. If you are adding an external crowd directory (for example Active Directory), please follow the steps in this tutorial and then continue with step 2.2.
Adding an internal crowd directory
Select internal directory type to start the setup process.

Please provide a name for the directory, for example “central directory”.

The remaining specifications are optional and can be left unmodified. You may edit the description for the directory and password rules.
By selecting continue the directory is created.

2.2 Access “central directory” externally

For other applications to use the “central directory” they have to be authorized first. To do this please select “Applications” in the top navigation bar.

To add an Application select “Add Application” in the left menu.

Select the application that needs access to the “central directory” in “Application type”, for example JIRA.
The field “Name” defines the name the application uses to identify before Crowd. Please select a secure password to verify the access for the application with Crowd.
In the next step (“Next”) the URL and IP-Address of the application need to be defined. This step adds an additional security barrier since access is only granted by using the defined URL and IP-Address, even if the correct password is provided.
Please select “central directory” in the next step.
In the final step the access rights for the directory are defined. Either all users in the directory have access to the application or access is limited to specific groups. This is useful if users may have access to several applications but not all. For example group A may have access to JIRA and group B may have access to JIRA and Bamboo.
Please select “Next” and “Add Application” to complete the setup.

2.3 Add Groups

Based on the application you need to add standard groups to the “central directory”. For JIRA those groups are “jira-administrators” and “jira-users”.
Select “Groups” in the top navigation bar and continue with “add Group” in the left menu.

Add the namer the group and select “central directory” as your “Directory”. You may add an optional description of the group and finish the setup by selecting “Create”.
Return to “Applications” and select the application of choice, for example JIRA.

At “Groups” you can add both groups to the application by selecting “Add”.

2.4 Add users

To add users select “Users” in the top navigation bar and continue with “Add users” in the left menu.

Add all details for the user and select “central directory” as “Directory”. The setup is concluded by selecting “Create”.
Then the users can be added to the corresponding groups.
Select “Groups” in the top navigation bar and navigate to “Add Groups” in the left menu. Find the corresponding group by using the search function and select it, then select “Add selected groups”.

3. Configure application (for example JIRA) to be used with Crowd

A. Configure JIRA
B. Configure Confluence
C. Configure other application

A. Configure JIRA

In the first step the JIRA-server has to be launched. Then login at the JIRA address with the administrator account.
Select “User Management” in the top JIRA-Management menu to add the user directory to JIRA.

Now all users should be displayed and “User directory” can be selected in the left menu. The internal JIRA directory should be displayed here.

Select “Add directory” and “Atlassian Crowd” in the drop-down menu to add the new directory.


For JIRA to contact the Crowd-Server a name and the URL of the server need to be provided.

Additionally, the application named password that were defined in step 2.2 need to be provided.
Crowd Permissions defines the access rights with either “Read only” or “Read/Write” access.
If the SecSign ID should be used and the IDs should be organized in JIRA, please select “Read/Write”. If only “Read” is selected the SecSign IDs can be used for authentication with JIRA and transferring IDs from other applications, however they can not be edited with JIRA.
The incremental synchronization may be edited if required.
By selecting “Test Settings” the connection to Crowd is verified to ensure a working function. If the test is successful “Save and Test” can be selected to finish adding the directory.
The new users are available at “Users” in the left menu bar after selecting “Synchronize” located next to the directory.

B. Configure Confluence

In the first step the Confluence-server has to be launched. Then login at the Confluence address with the administrator account.
Then, the user directory has to be added to Confluence. Select “Confluence-Administration” in the top navigation bar and navigate to “User management”.


Select “User directory” in the left menu. The internal Confluence directory should be displayed.
Select “Add directory” and “Atlassian Crowd” in the drop-down menu to add a directory.

A name has to be provided for the directory, as well as the URL of the server for Confluence to communicate with the Crowd-server.

Please provide the application name and password that was generated in step 2.2. Settings for the connection and proxy-server are optional.
Crowd Permissions defines the access rights with either “Read only” or “Read/Write” access.
If the SecSign ID should be used and the IDs should be organized in Confluence, please select “Read/Write”. If only “Read” is selected the SecSign IDs can be used for authentication with Confluence and transferring IDs from other applications, however they can not be edited with Confluence.
Optionally, the incremental synchronization and group membership may be edited if needed.
By selecting “Test Settings” the connection to Crowd is verified to ensure a working function. If the test is successful “Save and Test” can be selected to finish adding the directory.
The new users are available at “Users” in the left menu bar after selecting “Synchronize” located next to the directory.

C. Add other application

Additional applications can easily be configured with Crowd and the setup is similar to adding JIRA or Confluence.
Atlassian offers instructions for adding the applications and you may refer back to the setup for JIRA and Confluence.
Atlassian instructions:

4. Single-Sign-On Setup

As soon as the application is connected to Crowd (step 2 and 3), setting up the SSO is a quick procedure.

A. Setup SSO for JIRA
B. Setup SSO for Confluence
C. Setup SSO for other applications

A Setup SSO for JIRA

To enable SSO for JIRA please shut down the JIRA server first.
In the next step, seraph-config.xml needs to be edited. It is located in the JIRA directory (for example C:\programs\Atlassian\JIRA in Windows in the sub-directory „atlassian-jira\WEB-INF“. With right-click on the file and “Edit” the editor is launched.
The current Authenticator needs to be commented out. Add

In the next step the Crowd information need to be made available for the authenticator. Copy the file “crowd.properties” from the crowd directory sub-directory „client/conf“ in the JIRA directory sub-directory „atlassian-jira\WEB-INF\classes“.
To enable the communication some additional details need to be edited. Right-click the crowd.properties file and select an editor to open the file. Then the following parameter need to be customized:

application.name Please provide the name you defined in Crowd for the application
application.password Please provide the password you defined in Crowd for the application
crowd.base.url Add the URL of the Crowd-server
session.validationinterval If the value is 0 the validity of the session is verified with every request.
If the value is >0 the validity of the session is verified after x minutes defined by the value provided.
The latter improves the performance of the system with numerous users by reducing the contact requests to the Crowd-server.

Save the file and start the JIRA-server.
You should now be able to login Crowd and, if the account has access to JIRA, be automatically logged in to JIRA. To verify the access open JIRA in your browser, it should already be logged in.
The login is also possible the other way around: A successful authentication with JIRA automatically logs the use into Crowd.

B. Setup SSO for Confluence

To enable SSO for Confluence please shut down the Confluence server first.
In the next step, seraph-config.xml needs to be edited. It is located in the Confluence directory (for example C:\programs\Atlassian\Confluence in Windows in the sub-directory confluence\WEB-INF“. With right-click on the file and “Edit” the editor is launched.
The current Authenticator needs to be commented out. Add

Then, the line SSO-authenticator ConfluenceCrowdSSOAuthenticator needs to be edited by removing the comments.

In the next step the Crowd information need to be made available for the authenticator. Copy the file “crowd.properties” from the crowd directory sub-directory „client/conf“ in the Confluence directory sub-directory „confluence\WEB-INF\classes“.
To enable the communication some additional details need to be edited. Right-click the crowd.properties file and select an editor to open the file. Then the following parameter need to be customized:

application.name Please provide the name you defined in Crowd for the application
application.password Please provide the password you defined in Crowd for the application
crowd.base.url Add the URL of the Crowd-server
session.validationinterval If the value is 0 the validity of the session is verified with every request.
If the value is >0 the validity of the session is verified after x minutes defined by the value provided.
The latter improves the performance of the system with numerous users by reducing the contact requests to the Crowd-server.

Save the file and start the Confluence-server.
You should now be able to login Crowd and, if the account has access to Confluence, be automatically logged in to Confluence. To verify the access open Confluence in your browser, it should already be logged in.
The login is also possible the other way around: A successful authentication with Confluence automatically logs the use into Crowd.

C. Setup SSO for other applications

Most other Atlassian products can be setup similar to the procedures described in A and B. Atlassian offers instructions for setting up SSO with their products:

5. Add SecSign

With SecSign you can add a secure two-factor authentication for Crowd, JIRA and Confluence. By using the SSO the user can benefit from 2FA for all other products as well, for example Bamboo.
First, the plugins for JIRA, Confluence and Crowd need to be installed.

As soon as the plugins are installed the user can use the SSO, if it was initialized previously (see step 4).
To be able to synchronize the SecSign IDs via Crowd the following steps have to be performed for all applications (Crowd, JIRA, Confluence).

  • Select SecSign ID in the top navigation bar.
  • In the configuration menu select “Edit Options
  • Select “Synchronizeable IDs” and save the settings.

This setting can only be edited if write access was granted in the previous steps of the setup.
If no write access is granted an error message is issued. IDs can then be synchronized either if the write access is granted or if the IDs are imported and activated from a different program via the respective option.
The IDs can not be edited after being imported, but they can be accessed for the authentication procedure.
If a SecSign ID is edited in an application it is automatically synchronized with all other applications and can be used accordingly.
The user can now use his SecSign ID to login to for example JIRA and is automatically securely authenticated for all other applications.

6. Special Cases

  1. I am using JIRA and I would like to use the centrally organized user management system
  2. You can follow the setup instructions and skip the JIRA setup tutorial

  3. I am using Confluence and I would like to use the centrally organized user management system.
  4. You can follow the setup instructions and skip the Confluence setup tutorial

  5. I am using JIRA and Crowd and I would like to use Crowd for my user management system.
  6. You can follow the setup instructions and skip the JIRA and the Confluence setup tutorial

  7. I am already using a centrally organized user management system and I would like to setup the SSO
  8. You only need to follow the instructions in step 4 and, if you would like to add the secure SecSign ID authentication, step 5.
    This activates secure 2FA and SSO for your Atlassian products.

  9. I am already using a centrally organized user management system and I would like to setup secure 2FA
  10. You only need to follow the instructions in step 5 to activate secure 2FA.

Latest Blog Posts, Updates & Features

Do NOT follow this link or you will be banned from the site!