Search
  • Julie Gums

Is Atlassian crowd enough to be used as SAML Single Sign-On?

Updated: Jul 23


Question

Is Atlassian crowd enough to be used as SAML Single Sign-On?



What is the problem?

Atlassian promotes Crowd as a Single Sign-On solution, that means that you only sign once in to all of your Atlassian applications. If you have Jira, Confluence and Bamboo for example connected to Crowd - you still need to authenticate once against Crowd and then you login to the Atlassian apps. It's not a Single Sign-On solution as we would see if you sign in to an enterprise application and then you're signed in to all of them.


As crowd doesn't speak SAML, you can't connect it to any enterprise wide Single Sign-On setups. Learn here more about the setup.


How can I use Crowd in combination with SAML SSO?


This is what a scenario in combination with the SAML Single Sign-On app would look like:

  • the Crowd directory is used as the source to provision users via synchronization

  • at the same time, all users within the Crowd-connected directory can authenticate with the Single Sign-On app to the Identity provider of your choice. 

However, there are three important points to be taken care of.


1. Compatibility with the Crowd SSO Authenticator


Using Crowd with the SAML SSO app doesn't require any additional configuration, unless the Crowd's SSO Authenticator is enabled, which is not supported by the SAML SSO app. An active Crowd SSO Authenticator leads to unexpected authentication issues during the Single Sign-On process.


If the Crowd SSO Authenticator is enabled, please disable it and re-enable the default authenticator: 

In Jira:

  • Shut down the application

  • Open JIRA/atlassian-jira/WEB-INF/classes/seraph-config.xml with an editor

  • Uncomment:

"<authenticator class="com.atlassian.jira.security.login.JiraSeraphAuthenticator"/>"
  • Comment out:

"<!--<authenticator class="com.atlassian.jira.security.login.SSOSeraphAuthenticator"/>-->"

Source: Inverted way of Integrating Crowd with Atlassian JIRA - Point 2.2


In Confluence

  • Shut down the application

  • Open CONFLUENCE/confluence/WEB-INF/classes/seraph-config.xml with an editor

  • Uncomment:

"<authenticator class="com.atlassian.confluence.user.ConfluenceAuthenticator"/>"
  • Comment out:

"<!--<authenticator class="com.atlassian.confluence.user.ConfluenceCrowdSSOAuthenticator"/>-->"

Source: Inverted way of Integrating Crowd with Atlassian Confluence- Point 2.2


In Bitbucket

  • Shut down the application

  • Open BITBUCKET/shared/bitbucket.properties with an editor

  • Delete or comment out:

"plugin.auth-crowd.sso.enabled=true"

Source: Inverted way of Connecting Bitbucket Server to Crowd - Single Sign-On (SSO) with Crowd


In Bamboo

  • Shut down the application

  • Open BAMBOO/webapp/WEB-INF/classes/seraph-config.xml with an editor

  • Uncomment:

"<authenticator class="com.atlassian.bamboo.user.authentication.BambooAuthenticator"/>"
  • Comment out:

<!--<authenticator class="com.atlassian.crowd.integration.seraph.v25.BambooAuthenticator"/>-->"

Source: Inverted way of Integrating Crowd with Atlassian Bamboo - Point 2.5


2. Install SAML SSO on every application

The SAML SSO app needs to be installed in every Atlassian application on which you want to use SSO.


Crowd doesn't enable SSO for all other connected applications with only one single SAML SSO app installed. In other words, if the SAML SSO app is for instance only installed in Jira, SSO is not automatically working on Confluence too, just because Crowd is connected.


3. Ensure access

Ensure that users from Crowd have permission to access the application (e.g. default Jira application access group "jira-software-users"). Otherwise Single Sign-On fails.

platinum_low-res.png

Newsletter      Support      Marketplace      Documentation      Imprint      Privacy Policy