Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Crowd and Confluence SSO integration - Confluence ignores the application.login.url

David Tildesley
David Tildesley May 1, 2013

Hi. I have latest versions of Crowd and Confluence integrated as per guide. Confluence has been configured for Crowd User Directory with the standard Confluence user directory disabled. I have also configured for SSO.

As expected, I can login to Crowd successfully and then (manually) connect to Confluence and SSO all works fine.

A few things though are puzzling:

1. If I go to Confluence without first logging into Crowd, I get a Confluence login page. I had expected to receive a browser redirect to the Crowd login page. It seems like the "application.login.url" in crowd.properties is ignored by Confluence (certainly the official documentation doesn't mention it)

2. When I logout in Confluence, it should redirect me back to the Crowd login page after invalidating my SSO token. It does the latter but not the former. (again, there is no hint in the official documentation about this behaviour)

3. When I login in to Crowd, I expected that the "applications" page would give me active links to my applications (like a menu page of applications). It doesn't and it doesn't appear to offer any way of configuring this and no ability to substiture my own application menu page. (again, there is no hint in the official documentation about this behaviour)

4. Crowd will not accept a "goto url" on access the Crowd login page where I could pass in the Confluence url and Crowd do a redirect using this parameter after successful login. It doesn't appear to support this. (again, there is no hint in the official documentation about this behaviour)

Do I have something wrong? Or are these product limitations or deliberate design?

Answer
Watch
Like Be the first to like this
2085 views

4 answers

1 accepted

6 votes
Answer accepted
Ryan Goodwin
Ryan Goodwin
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 1, 2013

Hi David,

The SSO solution does not revolve around you logging in through crowd as an entry portal then clicking into the application you want to use. The goal of crowd + confluence + another application (ie JIRA) using SSO is so when navigating between Confluence and JIRA (users shouldn't ever have to login to crowd ever - only admins) crowd passes the SSO token between applications so users don't have to login to JIRA or vice versa. Once they're logged into one applicaiton in the sso domain, they are free to use any application without authenticating again.

If that is not clear let me know and I'll try to elaborate further.

Hope this helps!

View More Comments
David Tildesley
David Tildesley May 1, 2013

Hi Ryan,

It's the broken user experience that concerns me. E.g. I go Confluence and it presents with a logon screen. I have forgotten my password, but I think that's OK - I will just click the "forgotten password" link right there on the page. So I click on the link and I put my user name in and click "Send it to me" button. But wait, something is wrong: It tells me "You cannot change the password for this user via Confluence. Please contact your system administrator."

What's with that?

Now I'm thinking - yeah I better call the help desk because I really am lost here.

And I am thinking, it would be a cold day in hell that I could ever get this accepted into production.

David.

Like
Ryan Goodwin
Ryan Goodwin
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 2, 2013

Hi David,

The forgot password experience is most likely because you've set the Crowd Directory in Confluence to be read only. That means that Confluence can't call on crowd to reset the password, because you've told it Read only. Try logging in as an admin to confluence admin > user directories > Crowd Directory : edit

Once editing the crowd user directory, see if read only is enabled. If you want users to be able to reset passwords from Confluence, change it to read/write.

Hope this helps!

Like
David Tildesley
David Tildesley May 2, 2013

Thanks.

It turned out that the easiest way to revert to a "read-write" crowd directory is to create a second one (e.g Crowd Directory 2) and make that the first in the list, logout, login in again, then you can disable the first one.

Why then was "read-only" the default selection in the "add directory" wizard? (rhetorical).

See also my further post below.

David.

Like
Ryan Goodwin
Ryan Goodwin
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 2, 2013

Honestly, I can't say. I just support the product, I don't code them. IMHO it should be read write, but some admins are very strict about nobody being able to meddle with things.

Like
Reply
3 votes
BernardoA
BernardoA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 1, 2013

Basically the goal of SSO, is when Crowd provides SSO token between applications, it'll enable users to just login once in such application and then is not necessary to login again.

https://confluence.atlassian.com/display/CROWD/Overview+of+SSO

View More Comments
David Tildesley
David Tildesley May 2, 2013

Yep - I know what SSO is. I just thought Crowd would work like OpenSSO does.

The interesting thing is that I found our how I can set Confluence to use the Crowd login url - very easy - it's can be set in the seraph-config.xml

However, while Confluence will quite happily pass a "goto" url to the Crowd login, Crowd ignores it.

I also read that Atlassian hasn't provided easy customisation for Crowd login page as yet.

Which is all a bit of pain since I went to the trouble of setting up an SSL host connection for Crowd and now it is pretty much wasted since the users won't be logging in though Crowd.

Like
Reply
1 vote
David Pinn
David Pinn
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 1, 2013

Crowd enables SSO by choreographing the exchange of an SSO token between the Atlassian applications that you have installed. When you log in to one of the applications - JIRA, let's say - JIRA obtains a special SSO token from Crowd on your behalf, and sets it as a browser cookie. When you subsequently navigate to a different application - Confluence, let's say - Confluence is able to authenticate you by passing that SSO token to Crowd.

Reply
0 votes
WillemA
WillemA October 15, 2013

What we want to create is an environment where we login to Windows and when a user then opens Confluence a login/password will not be asked anymore, it will use my windows credentials. That is not an option with Confluence and or JIRA?

Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events