Atlassian Crowd vs SAML SSO: Alternatives or Complements?

Crowd can’t do SAML SSO. But when should it be replaced with an SSO app, and when is it good to combine both?

What is Atlassian Crowd?

Atlassian Crowd is an identity management application for on-premise deployments that centralizes user management across products like Jira, Confluence, or Bitbucket and provides a streamlined navigation experience.

But what are the advantages of having Crowd versus not having it?

Active Directory connected to homegrown products

For administrators, the advantage of Crowd is that group memberships and user permissions can be managed from a central space. This is particularly interesting for organizations that have multiple historic instances (for example, 5 Jiras and 3 Confluences) and are running permissions locally, which can be very confusing.
For users, the navigation between Atlassian applications will have less friction. For example, it’s very common to bump against Confluence’s login page after clicking on a link in a Jira ticket. When both applications are connected to Crowd, that second prompt to login disappears.

Sometimes Crowd can coexist with a true SSO solution. But to understand when that combination makes sense, it’s helpful to have a closer look to how Crowd works and what are its limitations.

1. Crowd as an LDAP server

Like any other Atlassian product in Server and Data Center, Crowd can only connect to external directories via LDAP.

This is a major block if you’re using a modern cloud Identity Provider, like Okta or OneLogin, that you want to connect to via SAML or via the API.

Crowd won’t be able to integrate to any IdP using SAML.

But if your users are on Microsoft Active Directory, Crowd can be used as a central LDAP server connecting Active Directory to Jira and the other Atlassian Applications.

Learn how to configure an LDAP Directory Connector with Crowd

Streamline user management - Try real SSO

2. Crowd SSO as an integration between Atlassian apps

When Jira and Confluence are integrated with Crowd, a user can click a link to Confluence in a Jira ticket without being prompted to log in again.

While Atlassian talks about it as Crowd SSO, in reality that SSO experience is only internal to Atlassian apps. In fact, since Crowd can only use LDAP to connect to an external directory, it doesn’t support any SSO standards like SAML or OpenAuth/OIDC.

Can Atlassian Crowd be combined with SAML SSO?

Sometimes customers think that if they have Crowd, they don’t need our SAML SSO app for their Jira, Confluence, or Bitbucket. Or that if they buy the SSO app, they will have to stop using Crowd.

That’s not necessarily the case. In fact, we have an add-on for Crowd that ensures that our SAML SSO apps are capable of authenticating with remote directories!

Some complex requirements can be met with a combination of Crowd and a SAML SSO app

Whether it makes sense to combine Crowd with SAML SSO depends largely on the situation of the customer and how important the jobs are that Crowd is doing. For example, some of our customers want to configure Crowd as a source for user synchronization.

There’s a good chance that combining Crowd with SAML SSO is beneficial if the answer to any of the following questions is affirmative:

Do you have multiple Atlassian applications?
Do you need to manage group memberships outside of your IdP?
Do you need to add non-employee users to Atlassian applications and have to do it outside the IdP?

Let’s look at three examples for a better picture.

Use case 1: Replace Crowd with SAML SSO and stay on Active Directory Federation Services

The 0-level use case: migrate away from Crowd to implement a full SSO solution. In this case, Active Directory connectivity via SAML is achieved through AD FS.

So, when can Crowd simply be removed from the equation?

Usually this happens when Crowd does no longer serve an important function and can be replaced effectively by the combination of Active Directory Federation Services and a marketplace app like SAML SSO.

Ingredients:

The Identity Provider is (or will become) the single source of truth for user identity, including access policies, group memberships and permissions. Administrators will then be able to manage the entire user lifecycle from the Identity Provider without any manual jobs in the local Atlassian directories.
Besides taking care of authenticating the users, the SAML SSO app carries all the information from the Identity Provider into the Atlassian apps, so it’s always current. This can happen either via SAML attributes or via API-based synchronizations.

These migrations from Crowd can take many forms. Sometimes the IdP doesn’t change, because the customer will keep using ADFS or Azure Active Directory via LDAP. Sometimes the migration may include an upgrade to a modern cloud Identity Provider.

Bottom line: Independently of the circumstances, this kind of migration puts Atlassian applications in the same terms as any other web enterprise software, streamlining user lifecycle management.

Use case 2: Use SAML SSO to Integrate Crowd with Okta (or any other IdP) and streamline group management

When users are managed centrally and permissions locally

Sometimes an organization wants to manage user identities and authentication policies centrally, and delegate application permissions to the application admin.

But coordinating groups and permissions when you have multiple instances of Jira and Confluence with users in the thousands can prove as mission impossible.

In this case, Crowd simplifies work by centralizing the management of group memberships across Atlassian instances.

Ingredients:

An Identity Provider that only stores user information, like username, email and full name, plus authentication policies like 2FA
A SAML SSO app for authenticating users from the IdP and creating them upon their first login (JiT provisioning)
Crowd to manage group memberships and permissions into the Atlassian apps

Take for example a project related to the development of a new cloud application called Lighthouse. Members of this project will have specific permissions:

to commit code into Bitbucket branches
to publish release notes and internal documentation in the application’s Confluence space
and to work on the corresponding user stories in Jira

Without Crowd, administrators must do a lot of repeated work in each application, including:

creating the Lighthouse group
pulling members into the group

Bottomline: With Crowd, these actions can be centralized and rationalized. That tends to be very valuable in complex enterprise settings where hundreds of ongoing projects are scattered across 6 instances of Jira and 3 Confluence environments, for example.

Use case 3: Use SAML SSO to configure Crowd Data Center as an IdP with SSO 2.0

Did we say Crowd doesn’t do SAML? Well, that’s almost always true.

Crowd Data Center does use SAML, but only to provide a more consistent login experience with SSO 2.0. However, under SSO 2.0 Crowd still cannot connect to an IdP using SAML.

And when it’s enabled, customers can configure Crowd as an IdP in resolution’s SAML SSO app.

This can turn out to be very helpful when an admin needs to add users but doesn’t have the permission to use the main Identity Provider. For example, some corporations have strict policies for provisioning user accounts for employees that don’t apply to other types of users like contractors, partners, or interns.

Crowd Data Center can then be set up to manage those temporary accounts, which can be a couple of dozens or several hundreds. Users will still have the security and usability benefits of SSO, and administrators won’t have to manage them manually.

Ingredients:

North of 300 users in Atlassian applications.
Large numbers of external users including contractors, auditors, or interns
A main Identity Provider with strict policies for provisioning user accounts enforced by a central Identity team
Crowd Data Center as an additional Identity provider for the external user accounts
SAML SSO to authenticate into Atlassian applications from both IdPs

Conclusion: Is Crowd needed in the way you currently manage Jira users?

Organizations that have been using Crowd for years sometimes look at a difficult trade-off.

Staying in Crowd fails to put the company up-to-date with the type of seamless, cloud-based authentication that is expected in the times of remote-first collaboration; but a migration can be painful, particularly if current user management practices leverage the advantages of the centralization that Crowd represents.

But that trade-off is based on false assumptions. Although Crowd can be replaced by a SAML SSO app, it can also coexist with it to maximize the advantages of both products: A robust, centralized directory for all Atlassian products and instances, and fluent user authentications between the Identity Provider and Atlassian apps.

Start your Atlassian jorney towards streamlined user management

Cookie	Duration	Description
_ga	1years 19days 23hours 59minutes	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_UA	1 minute	Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named `_dc_gtm_<property-id>`.
_gat_UA-44969175-9	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	23 hours 59 minutes	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
CONSENT	16 years 3 months 13 hours	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
b3e783bb62	session	This cookie is set by the provider Zoho. This cookie is used for collecting information on user interaction with the web-campaign content. This cookie helps the website owners to promote products and events on the CRM-campaign-platform.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_calendly_session	21 days	Store user preferences
_zcsr_tmp	session	Used for website security
1e5a17c8ab	session	No description available.
3eb9b21c5c	session	No description available.
4662279173	session	No description available.
AnalyticsSyncHistory	1 month	Used to store information about the time a sync with the lms_analytics cookie took place for users in the Designated Countries
cookielawinfo-checkbox-functional	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
d4bcc0a499	session	No description available.
li_gc	2 years	Used to store consent of guests regarding the use of cookies for non-essential purposes
m	2 years	No description available.
zft-sdc	12 hours	This cookie stores metadata ( entrances, source etc) of a session which is used by full tracking. (https://www.zoho.com/privacy/cookie-policy.html)
zps-tgr-dts	1 year	This cookie stores the session's metadata on your website.
zsc	30 minutes	Zoho Service Communication Key.

Atlassian Crowd vs SAML SSO: Alternatives or Complements?

Atlassian Crowd vs SAML SSO: Alternatives or Complements?

Table of Contents

What is Atlassian Crowd?

1. Crowd as an LDAP server

2. Crowd SSO as an integration between Atlassian apps

Can Atlassian Crowd be combined with SAML SSO?

Use case 1: Replace Crowd with SAML SSO and stay on Active Directory Federation Services

Use case 2: Use SAML SSO to Integrate Crowd with Okta (or any other IdP) and streamline group management

Use case 3: Use SAML SSO to configure Crowd Data Center as an IdP with SSO 2.0

Conclusion: Is Crowd needed in the way you currently manage Jira users?

Subscribe to our newsletter:

Jaime Capitel

Tags:

Related articles:

Towards Perfect User Synchronizations with Simulations and UI Browser

User Sync: Up to 20x Faster with the New Server-Side Filtering

Unleashing Team Potential: Agile Meetings Redefined

User management apps

productivity apps

Integration Apps

resources

company

Don’t miss any news!