Crowd and Confluence SSO integration - Confluence ignores the application.login.url

Hi. I have latest versions of Crowd and Confluence integrated as per guide. Confluence has been configured for Crowd User Directory with the standard Confluence user directory disabled. I have also configured for SSO.

As expected, I can login to Crowd successfully and then (manually) connect to Confluence and SSO all works fine.

A few things though are puzzling:

1. If I go to Confluence without first logging into Crowd, I get a Confluence login page. I had expected to receive a browser redirect to the Crowd login page. It seems like the "application.login.url" in crowd.properties is ignored by Confluence (certainly the official documentation doesn't mention it)

2. When I logout in Confluence, it should redirect me back to the Crowd login page after invalidating my SSO token. It does the latter but not the former. (again, there is no hint in the official documentation about this behaviour)

3. When I login in to Crowd, I expected that the "applications" page would give me active links to my applications (like a menu page of applications). It doesn't and it doesn't appear to offer any way of configuring this and no ability to substiture my own application menu page. (again, there is no hint in the official documentation about this behaviour)

4. Crowd will not accept a "goto url" on access the Crowd login page where I could pass in the Confluence url and Crowd do a redirect using this parameter after successful login. It doesn't appear to support this. (again, there is no hint in the official documentation about this behaviour)

Do I have something wrong? Or are these product limitations or deliberate design?

4 answers

1 accepted

6 votes
Accepted answer

Hi David,

The SSO solution does not revolve around you logging in through crowd as an entry portal then clicking into the application you want to use. The goal of crowd + confluence + another application (ie JIRA) using SSO is so when navigating between Confluence and JIRA (users shouldn't ever have to login to crowd ever - only admins) crowd passes the SSO token between applications so users don't have to login to JIRA or vice versa. Once they're logged into one applicaiton in the sso domain, they are free to use any application without authenticating again.

If that is not clear let me know and I'll try to elaborate further.

Hope this helps!

Hi Ryan,

It's the broken user experience that concerns me. E.g. I go Confluence and it presents with a logon screen. I have forgotten my password, but I think that's OK - I will just click the "forgotten password" link right there on the page. So I click on the link and I put my user name in and click "Send it to me" button. But wait, something is wrong: It tells me "You cannot change the password for this user via Confluence. Please contact your system administrator."

What's with that?

Now I'm thinking - yeah I better call the help desk because I really am lost here.

And I am thinking, it would be a cold day in hell that I could ever get this accepted into production.

David.

Hi David,

The forgot password experience is most likely because you've set the Crowd Directory in Confluence to be read only. That means that Confluence can't call on crowd to reset the password, because you've told it Read only. Try logging in as an admin to confluence admin > user directories > Crowd Directory : edit

Once editing the crowd user directory, see if read only is enabled. If you want users to be able to reset passwords from Confluence, change it to read/write.

Hope this helps!

Thanks.

It turned out that the easiest way to revert to a "read-write" crowd directory is to create a second one (e.g Crowd Directory 2) and make that the first in the list, logout, login in again, then you can disable the first one.

Why then was "read-only" the default selection in the "add directory" wizard? (rhetorical).

See also my further post below.

David.

Honestly, I can't say. I just support the product, I don't code them. IMHO it should be read write, but some admins are very strict about nobody being able to meddle with things.

Basically the goal of SSO, is when Crowd provides SSO token between applications, it'll enable users to just login once in such application and then is not necessary to login again.

https://confluence.atlassian.com/display/CROWD/Overview+of+SSO

Yep - I know what SSO is. I just thought Crowd would work like OpenSSO does.

The interesting thing is that I found our how I can set Confluence to use the Crowd login url - very easy - it's can be set in the seraph-config.xml

However, while Confluence will quite happily pass a "goto" url to the Crowd login, Crowd ignores it.

I also read that Atlassian hasn't provided easy customisation for Crowd login page as yet.

Which is all a bit of pain since I went to the trouble of setting up an SSL host connection for Crowd and now it is pretty much wasted since the users won't be logging in though Crowd.

Crowd enables SSO by choreographing the exchange of an SSO token between the Atlassian applications that you have installed. When you log in to one of the applications - JIRA, let's say - JIRA obtains a special SSO token from Crowd on your behalf, and sets it as a browser cookie. When you subsequently navigate to a different application - Confluence, let's say - Confluence is able to authenticate you by passing that SSO token to Crowd.

What we want to create is an environment where we login to Windows and when a user then opens Confluence a login/password will not be asked anymore, it will use my windows credentials. That is not an option with Confluence and or JIRA?

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Oct 24, 2018 in Confluence

Atlassian Research opportunity with Confluence templates

Do you use templates with Confluence? Take part in a remote 1-hr workshop. You'll receive USD $100 for your time!   We're looking for people to participate in a   remote 1-hr workshop...

1,539 views 25 14
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you