We do have a Identity & Access Management System in place. This directory is basically the only directory which has all users (we're a production company and quite a few of our users do not need an Active Directory Account). The IAM directory is not LDAP enabled.
1) We do want to be able to show all user information in Confluence (address book) also from the ones without AD account (they still have a phone number and need to be able to call each other). We're also using the information to build the org chart in confluence then.
2) We do want to create the user directory completely from IAM via either daily import or API
3) We do want to create the group mapping manually from the IAM system (people are ordering spaces via IAM and the system then creates the groups and memberships itself)
4) This now is the tricky part even though the users have been created manually we do want to have them authenticated via SAML2.0 & SSO (we use secureauth).
Summary : We do not want to attach a directory for user management but we want the users to be authenticated using SAML2.0 / secureauth device.
How should this be done? (I know this is not how the rest of the world does it anyhow this is the approach we have to take).
Code, and quite a lot of it. I'd strongly recommend using one of the SAML add-ons from the marketplace instead of trying to re-invent this wheel, and I think you'll need another add-on to draw in the user profiles.
Pascal,
I work with Kantega Single Sign-on. We have add-ons for all the Atlassian products except for Crowd and Hipchat.
We offer Kerberos and SAML in combination or separate, and support on the fly user creation. Users can be added to default groups upon sign-up.
JIRA mobile, and service desk are also supported. There is no need for file system changes, making upgrades are very smooth!
https://marketplace.atlassian.com/search?query=kantega
We are always happy to help. Email us at SSO@kantega.no
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Here's an update.
We use secureauth for authentication together with the SAML SSO plugin. Works like a charm.
We are using the SOAP interface (I know deprecated but user provisioning is not yet available in REST API), we also create the groups via SOAP (as well as user/group membership). All of it managed via IAM, we are also on the way to have the space order process in the IAM system (does create the space, the read group, the write group) together with a yearly renewal process (in order to get rid of unused / outdated spaces).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Agree with Nic Brough. We use and recommend SAMLSSO for Confluence by resolution, but it assumes that your users are already available to Confluence from somewhere. From their documentation:
SAML is currently supported for authentication only. That means the userid must be known in the Jira/Confluence instance, either as a locally configured user or coming from an external user directory
Confluence is going to have to know about the users somehow; even if there were a "do it all" SAML plugin, it would still need to create the users in Confluence's database. The User Directory API for Confluence plugin might help you out on that front, but I've never used it and can't comment on how it works.
Best of luck!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Version 0.14 of the SAMLSSO plugin for JIRA was released earlier this morning and includes functionality to create users on-the-fly from IdP metadata. The same feature will probably show up in the Confluence version of the plugin later today!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.