User Provisioning & SAML2 & SSO

We do have a Identity & Access Management System in place. This directory is basically the only directory which has all users (we're a production company and quite a few of our users do not need an Active Directory Account). The IAM directory is not LDAP enabled.

1) We do want to be able to show all user information in Confluence (address book) also from the ones without AD account (they still have a phone number and need to be able to call each other). We're also using the information to build the org chart in confluence then.

2) We do want to create the user directory completely from IAM via either daily import or API

3) We do want to create the group mapping manually from the IAM system (people are ordering spaces via IAM and the system then creates the groups and memberships itself)

4) This now is the tricky part even though the users have been created manually we do want to have them authenticated via SAML2.0 & SSO (we use secureauth).

 

Summary : We do not want to attach a directory for user management but we want the users to be authenticated using SAML2.0 / secureauth device. 

 

How should this be done? (I know this is not how the rest of the world does it anyhow this is the approach we have to take).

 

4 answers

1 vote

Code, and quite a lot of it.  I'd strongly recommend using one of the SAML add-ons from the marketplace instead of trying to re-invent this wheel, and I think you'll need another add-on to draw in the user profiles.

Agree with Nic Brough. We use and recommend SAMLSSO for Confluence by resolution, but it assumes that your users are already available to Confluence from somewhere. From their documentation:

SAML is currently supported for authentication only. That means the userid must be known in the Jira/Confluence instance, either as a locally configured user or coming from an external user directory

Confluence is going to have to know about the users somehow; even if there were a "do it all" SAML plugin, it would still need to create the users in Confluence's database. The User Directory API for Confluence plugin might help you out on that front, but I've never used it and can't comment on how it works.


Best of luck!

Version 0.14 of the SAMLSSO plugin for JIRA was released earlier this morning and includes functionality to create users on-the-fly from IdP metadata. The same feature will probably show up in the Confluence version of the plugin later today!

Here's an update.

We use secureauth for authentication together with the SAML SSO plugin. Works like a charm.
We are using the SOAP interface (I know deprecated but user provisioning is not yet available in REST API), we also create the groups via SOAP (as well as user/group membership). All of it managed via IAM, we are also on the way to have the space order process in the IAM system (does create the space, the read group, the write group) together with a yearly renewal process (in order to get rid of unused / outdated spaces).

 

 


 

Pascal,

I work with Kantega Single Sign-on. We have add-ons for all the Atlassian products except for Crowd and Hipchat.

We offer Kerberos and SAML in combination or separate, and support on the fly user creation. Users can be added to default groups upon sign-up. 

JIRA mobile, and service desk are also supported. There is no need for file system changes, making upgrades are very smooth!

https://marketplace.atlassian.com/search?query=kantega

We are always happy to help. Email us at SSO@kantega.no

 

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Mar 12, 2019 in Confluence

Confluence Admin Certification now $150 for Community Members

More and more people are building their careers with Atlassian, and we want you to be at the front of this wave! Important Dates Start the Certification Prep Course by 2 April 2019 Take your e...

1,634 views 4 13
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you