Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

User Provisioning & SAML2 & SSO

pbriner
pbriner March 5, 2016

We do have a Identity & Access Management System in place. This directory is basically the only directory which has all users (we're a production company and quite a few of our users do not need an Active Directory Account). The IAM directory is not LDAP enabled.

1) We do want to be able to show all user information in Confluence (address book) also from the ones without AD account (they still have a phone number and need to be able to call each other). We're also using the information to build the org chart in confluence then.

2) We do want to create the user directory completely from IAM via either daily import or API

3) We do want to create the group mapping manually from the IAM system (people are ordering spaces via IAM and the system then creates the groups and memberships itself)

4) This now is the tricky part even though the users have been created manually we do want to have them authenticated via SAML2.0 & SSO (we use secureauth).

 

Summary : We do not want to attach a directory for user management but we want the users to be authenticated using SAML2.0 / secureauth device. 

 

How should this be done? (I know this is not how the rest of the world does it anyhow this is the approach we have to take).

 

Answer
Watch
Like Aleksey Shchukin likes this
2453 views

4 answers

1 vote
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
March 6, 2016

Code, and quite a lot of it.  I'd strongly recommend using one of the SAML add-ons from the marketplace instead of trying to re-invent this wheel, and I think you'll need another add-on to draw in the user profiles.

Reply
0 votes
Lars Olav Velle
Lars Olav Velle
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 19, 2017

Pascal,

I work with Kantega Single Sign-on. We have add-ons for all the Atlassian products except for Crowd and Hipchat.

We offer Kerberos and SAML in combination or separate, and support on the fly user creation. Users can be added to default groups upon sign-up. 

JIRA mobile, and service desk are also supported. There is no need for file system changes, making upgrades are very smooth!

https://marketplace.atlassian.com/search?query=kantega

We are always happy to help. Email us at SSO@kantega.no

 

Reply
0 votes
pbriner
pbriner March 9, 2016

Here's an update.

We use secureauth for authentication together with the SAML SSO plugin. Works like a charm.
We are using the SOAP interface (I know deprecated but user provisioning is not yet available in REST API), we also create the groups via SOAP (as well as user/group membership). All of it managed via IAM, we are also on the way to have the space order process in the IAM system (does create the space, the read group, the write group) together with a yearly renewal process (in order to get rid of unused / outdated spaces).

 

 


 

Reply
0 votes
Daniel Eads _unmonitored account_
Daniel Eads _unmonitored account_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 7, 2016

Agree with Nic Brough. We use and recommend SAMLSSO for Confluence by resolution, but it assumes that your users are already available to Confluence from somewhere. From their documentation:

SAML is currently supported for authentication only. That means the userid must be known in the Jira/Confluence instance, either as a locally configured user or coming from an external user directory

Confluence is going to have to know about the users somehow; even if there were a "do it all" SAML plugin, it would still need to create the users in Confluence's database. The User Directory API for Confluence plugin might help you out on that front, but I've never used it and can't comment on how it works.


Best of luck!

View More Comments
Daniel Eads _unmonitored account_
Daniel Eads _unmonitored account_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 8, 2016

Version 0.14 of the SAMLSSO plugin for JIRA was released earlier this morning and includes functionality to create users on-the-fly from IdP metadata. The same feature will probably show up in the Confluence version of the plugin later today!

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events