Is it possible to run multiple authentication methods?

wcms March 5, 2013

Hey there

We are running our JIRA and Confluence servers behind "CA Siteminder SSO". To make this work with JIRA and Confluence we added a library to the lib directory, and edited the seraph-config to use the Siteminder Authentication. Basically, when the users calls our JIRA or Confluence adress, the SSO server intercepts, and checks if the user is logged in on the SSO server. If not, he will get a SSO login mask where he has to authenticate.

After doing so, the SSO sends the user id to Confluence / JIRA. Confluence and JIRA have a plugin running which then reads the Header with the userid, and shows the users content. While this works perfect, it's causing us headaches because we can't display JIRA information in Confluence anymore (before JIRA was connected to SSO, this worked).

Now, I believe the problem is that the application link is configured with the SSO-URL. Since the connection between JIRA and Confluence is handled from the server itself and not the user, the server will be getting a SSO login mask where he actually expected JIRA.

Now, to bypass this problem, I tought it would be smart to add another connector to the server.xml, which is listening to a domain name, which is not intercepted by our SSO. This actually worked, server is listening on those requests. Problem is, that he will only accept Siteminder-Authentication data (no more Confluence login mask).

I then tought it might work if I uncomment the default Confluence and JIRA authenticator. But now JIRA and Confluence will only accept their own login mask, logging in with SSO doesn't work anymore.

Is there any way I can configure multiple authentication methods, so the users are able to login in via Siteminder SSO while JIRA and Confluence communicate with each other, using their own login masks. Or is there any other way I could solve this issue? Has someone had a similar problem?

Thanks alot for your advice guys!

Regards

Taha

2 answers

1 accepted

0 votes
Answer accepted
wcms December 2, 2013

It's been a long time but I have been able to solve my problem :)

Here's how I did it:
  1. In the Confluence server.xml, add another connector, running on a port of your choice (in my case it's 8991), non-https
  2. Also do the same for JIRA (for example on port 8992), non-https
  3. Set up a Virtual-Host acting as a proxy on apache. This is a example configuration (make sure USERID is the id of an actual administrator):
    <VirtualHost *:80>
    	ProxyPreserveHost On
    	ProxyRequests Off
    	ServerName proxy.confluence.company.com
    	
    	RequestHeader set REMOTE_USER "USERID"
    	
    	ProxyPass / http://confluenceserver.internal:8991/
    	ProxyPassReverse / http://confluenceserver.internal:8991/
    </VirtualHost>

  4. Do the same configuration for JIRA, edit the ProxyPass server and the ServerName
  5. If your Confluence and/or JIRA installation is configured to use a proxy for outgoing connections, make sure that proxy.confluence.company.com and/or proxy.jira.company.com is configured as non-proxy-host.

  6. Restart both applications. You should now be able to configure the application link, while beeing behind a non-supported SSO

0 votes
C_ Faysal
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
March 5, 2013

hi wcms.

i believe multiple authenticators is not possible but please have a look at this..

https://answers.atlassian.com/questions/56692/using-multiple-authenticators

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events