SURFnet's seamless Crowd migration to SAML SSO
Surfnet’s wiki page on SURFconext, the federated identity management system offered to member organizations, is a great example of how to build attractive, usable documentation for IT professionals.
Key SURFnet Figures
Over 100 education and research institutions are members of the SURF cooperative
Up to 100 Gb/s of internet speed
24/7 Help Desk
User Management Figures
10,000+ Confluence users in the wiki
1,000+ Confluence users in the intranet
400 Jira users
Over 450 groups
One of the core missions of the IT team at SURFnet is to guarantee that their network never goes down so that the Higher Education community at large can enjoy fast, always on internet access.
Product scope for the migration
Surfnet's migration from Crowd included three products:
the company wiki and intranet, as separate Confluence instances;
and the Jira Service Desk, with usage by internal employees, suppliers, and end customers.
The mission: deprecating an obsolete SSO with Crowd at its core
SURFnet’s federated identity management system is called SURFconext, and is developed, hosted and maintained by SURF.
Following a policy of 'drinking their own champagne', they use SURFconext also for their own authentication processes, including Jira and Confluence; but the service is offered to all SURF member organizations and is widely and highly used.
Before the migration, users were authenticated into Atlassian tools using Crowd layered on top of a custom SSO add-on developed by the company that used to manage their Atlassian stack.
The design was simple: every login to Jira or Confluence was redirected to Crowd, and the Crowd add-on handled the SSO.
When SURFnet decided to discontinue the relationship with that partner, they were aware that without further maintenance the custom add-on would would soon became incompatible with higher versions of Crowd.
It was a matter of time before the inability to update Crowd made their Atlassian products insecure and unreliable, making the replacement of the custom SSO add-on a top priority.
Because of the negative experience with a custom add-on becoming obsolete, we decided to look for an add-on which was sold at the Atlassian Marketplace. Choosing the market leader seemed an obvious choice for us.
Indeed, a Marketplace app already maintained for thousands of global customers could ensure compatibility with future releases of the Atlassian products while providing a proven track of reliability to safeguard their customer promise of being always online. The solution needed to support SURFnet’s complex permission schemes and the specifics of its SAML implementation.
Resolution’s SAML SSO apps were quickly identified as that leader.
As SURFnet’s project lead Theo Engelman started evaluating the product, he was quickly surprised about the quality and functionality of the product.
But what stood above anything else was the responsiveness of the support team.
I’m very happy with the support responsiveness at resolution. It’s good for us and it shows that we made the correct choice. The product is reliable, but also the vendor is reliable, which is as important as the product.
The Migration Project
A unique feature request
Engelman contacted resolution’s support team during the 1st phase of the project because their specific implementation of SAML stored group memberships in a complex matrix of organizational affiliation.
To support their implementation, resolution implemented in the next release of the app a new function which allows mapping the values of multiple attributes to a single Jira attribute.
Resolution has a very wise attitude of close collaboration with customers. Not only do they respond fast and try to understand your problems to figure out a way to help you; what’s really great is that they’re open to suggestions for new functionality.
A database challenge
Engelman relied on the expert support of Valiantys, one of the leading Atlassian Solution Partners, to make sure they could predict what would happen to the usernames and group names in their database.
“When you’re implementing into existing instances and migrating from an external directory like Crowd, which has its unique identifiers, this becomes a sophisticated job with complex changes in PostgreSQL that can’t happen overnight by just hitting enter. You need a lot of expertise.”
Thanks to Valiantys and to the regular expression translations that the app includes, SURFnet was able to successfully migrate existing users and groups.
A straightforward implementation
“The nice thing about the app is that it does exactly what you want it to do.”
Nothing about implementing resolution’s app was unexpected, but two options in the app were seen as particularly useful for streamlining the migration project.
Firstly, the option to import & export a configuration proved particularly helpful for the migration. Once the configuration was successfully completed in the test instance, all it took to move it to production was to change the service provider metadata and push it back to the federation.
Secondly, the trackers that show the exchange of information between the identity provider and the SAML SSO app. This option allowed SURFnet to quickly analyze the authentication process and proactively identify issues in the testing phase.
Gained full compatibility with future releases of Jira and Confluence
Eliminated the need to maintain the custom SSO add-on
Saved on Crowd licenses
Implemented a transparent and streamlined solution for users
Increased the flexibility for user and group provisioning
Obtained the ability to further streamline Identity and Access Management in the future
SURF is merging its 4 business units, each using their own separate IdP and Active Directory, into one. As a result, there will only be one ADFS in the future, making provisioning much simpler.
In this scenario, SURF will have the opportunity to bypass the limitations of SAML with directory synchronizations: “we want to change users also when they don’t login, for instance when their tenure ends. We will be using the User Sync functionality included in the SAML SSO app for this.”
SURF is the collaborative organisation for ICT (Information and communications technology) in Dutch education and research, responsible for maintaining the national research and education network (NREN) of the Netherlands.
The main product managed by SURFnet, one of SURF’s subsidiaries, is the SURFinternet network: the only internet provider for all Dutch universities and research centers, serving over 100 institutions and 750,000 users between students, professors, and staff.
Since their inception in 2006, Valiantys has had a 100% dedication to Atlassian and has been recognized as Partner of the year in six of the past seven years. Over that time, they have helped more than 5,000 customers to achieve their desired business outcomes at a reduced time-to-value, through improved team collaboration. Their unparalleled Atlassian expertise is used to enable their customers across the entire spectrum of their projects on Atlassian products.