User Provisioning & SAML2 & SSO

We do have a Identity & Access Management System in place. This directory is basically the only directory which has all users (we're a production company and quite a few of our users do not need an Active Directory Account). The IAM directory is not LDAP enabled.

1) We do want to be able to show all user information in Confluence (address book) also from the ones without AD account (they still have a phone number and need to be able to call each other). We're also using the information to build the org chart in confluence then.

2) We do want to create the user directory completely from IAM via either daily import or API

3) We do want to create the group mapping manually from the IAM system (people are ordering spaces via IAM and the system then creates the groups and memberships itself)

4) This now is the tricky part even though the users have been created manually we do want to have them authenticated via SAML2.0 & SSO (we use secureauth).

 

Summary : We do not want to attach a directory for user management but we want the users to be authenticated using SAML2.0 / secureauth device. 

 

How should this be done? (I know this is not how the rest of the world does it anyhow this is the approach we have to take).

 

4 answers

1 vote

Code, and quite a lot of it.  I'd strongly recommend using one of the SAML add-ons from the marketplace instead of trying to re-invent this wheel, and I think you'll need another add-on to draw in the user profiles.

0 vote
Daniel Eads Community Champion Mar 07, 2016

Agree with Nic Brough. We use and recommend SAMLSSO for Confluence by resolution, but it assumes that your users are already available to Confluence from somewhere. From their documentation:

SAML is currently supported for authentication only. That means the userid must be known in the Jira/Confluence instance, either as a locally configured user or coming from an external user directory

Confluence is going to have to know about the users somehow; even if there were a "do it all" SAML plugin, it would still need to create the users in Confluence's database. The User Directory API for Confluence plugin might help you out on that front, but I've never used it and can't comment on how it works.


Best of luck!

Daniel Eads Community Champion Mar 08, 2016

Version 0.14 of the SAMLSSO plugin for JIRA was released earlier this morning and includes functionality to create users on-the-fly from IdP metadata. The same feature will probably show up in the Confluence version of the plugin later today!

Here's an update.

We use secureauth for authentication together with the SAML SSO plugin. Works like a charm.
We are using the SOAP interface (I know deprecated but user provisioning is not yet available in REST API), we also create the groups via SOAP (as well as user/group membership). All of it managed via IAM, we are also on the way to have the space order process in the IAM system (does create the space, the read group, the write group) together with a yearly renewal process (in order to get rid of unused / outdated spaces).

 

 


 

Pascal,

I work with Kantega Single Sign-on. We have add-ons for all the Atlassian products except for Crowd and Hipchat.

We offer Kerberos and SAML in combination or separate, and support on the fly user creation. Users can be added to default groups upon sign-up. 

JIRA mobile, and service desk are also supported. There is no need for file system changes, making upgrades are very smooth!

https://marketplace.atlassian.com/search?query=kantega

We are always happy to help. Email us at SSO@kantega.no

 

Suggest an answer

Log in or Sign up to answer
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Kesha Thillainayagam
Posted Apr 13, 2018 in Confluence

We want to hear how your non-technical teams are using Confluence!

Hi Community! Kesha (kay-sha) from the Confluence marketing team here! Can you share stories with us on how your non-technical (think Marketing, Sales, HR, legal, etc.) teams are using Confluen...

2,925 views 27 12
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you