We are integrating JIRA with confluence and jira with bitbucket. All these three applications are connected to Crowd to get user and enable SSO.
Crowd: abc-crowd.xyz.com/crowd is internal crowd url.
JIRA: abc-jira.xyz.com:8080 is internal JIRA url
Confluence: abc-wiki.xyz.com:8090 is internal Confluence URL
Bitbucket: abc-git.xyz.com:7075 is internal Bitbucket URL
The SSO works fine in this case as all my applications are not internet facing or not available on internet.
If I am making BItbucket, JIRA and confluence as Internet facing or make them publicly available on internet, making their URL's different. Lets say
My questions are:
1. Do I need to make Crowd as internet facing?
--As of my knowledge All application will get Users and groups from crowd by internal crowd link
2. Will my configured SSO work?
--As of my knowledge these application will use internal URL to communicate and pass tokens with other even if they are accesses by external URL
Please clarify my confussion
Hi @SUNIL SABALE,
You need to configure the reverse-proxy serving the internet facing content to transform the internal cookie domain into external cookie domain, and vice versa. For instance, in Apache you have to use the ProxyPassReverseCookieDomain directive: https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypassreversecookiedomain
ProxyPassReverseCookieDomain .xyz.com .xyz.co.uk
Then SSO will work.
Crowd does not need to be internet facing, it only needs to talk to the application servers.
The User Directories in the applications communicate with the Applications set up in Crowd. If the IP addresses of the applications change the Applications will need to be updated to the new IP. If Crowd is using internal IPs and and they are not changing, no action should be needed on that account.
SSO will still work because the applications all come from the same domain: SSO within a Single Domain <That article is really comprehensive and can save trial and error time.
Yes my applications are under same domain and I configured SSO domain as ".xyz.com" in Crowd.
Now if I am accessing JIRA as https://jira.xyz.co.uk and Confluence as https://wiki.xyz.co.uk will my SSO still work? Or is there any need to access applications with internal URL just to make SSO work
Yes, that should be fine as long as they are all in domain xyz.co.uk, as mentioned in Overview of SSO:
The core Crowd functionality supports SSO across applications within a single domain, such as *.mydomain.com. Crowd uses a browser cookie to manage SSO. Because your browser limits cookie access to hosts in the same domain, this means that all applications participating in SSO must be in the same domain.
Example 1: If you wish to have single sign-on (SSO) support for *.mydomain.com, you will need to configure the SSO domain in Crowd as .mydomain.com — including the full stop ('.') at the beginning. All your Crowd-connected applications must be in the same domain.
And i configured SSO domain as .xyz.co.uk but still SSO is not working.
SSO is working fine if I configured SSO domain as internal domain andd access sites with internal URL.
But its not working in case of external URL.
The thing is im accessing bitbucket over https and jira over http.
and "secure SSo cookie" in cowd is disabled by default