Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Authenticate Azure AD users against Crowd and Atlassian products

Alae Loudiyi
Alae Loudiyi July 22, 2018

Hi,

I have connected Crowd with Azure AD (AAD) without any problem. But when It came to authenticating Azure AD Users againt Atlassian products (Mainly Jira, Confluence & Bitbucket) we are having some trouble. First I cannot give users access to Jira or Confluence and I cannot create local groups or use groups to assign permissions to users.

We have gone through some documentation and I have some questions:

  1. Is it possible to authenticate AAD users against Atlassian Products without any other third party plugin? if YES HOW? if NO what is the benefit from connecting AAD to crowd without being able to delegate authentication to AAD?
  2. I have seen that Microsoft have a free add-on for Jira (link here). If the answer to the first question is NO, do you think it is a viable alternative to use this plugin with Jira and then connect other Atlassian Products to Jira without using Crowd.

PS: I'm using crowd 3.2.1 and I will upgrade to the latest version because we are facing a bug (link

 

thank you

Answer
Watch
Like Be the first to like this
3150 views

4 answers

1 accepted

1 vote
Answer accepted
M Amine
M Amine
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
July 24, 2018

Hi,

The issue has been resolved now and here is how:

  1. Upgrade to crowd 3.2.2 as it fixes this bug
  2. Documentation is a 'bit' wrong, especially here 
    5. Configure permissions for the native application to allow Crowd to validate user credentials:
        - Click your native application.
        - Click Settings
        - In the API ACCESS section, click Required permissions.
        - Click Grant Permissions and confirm.
    Before cliking 'Grant Permissions' and confirming, we Added Windows Azure AD API permissions (Read directory Data, Sign in and read user profile ...)
  3. We validated these permissions as described in step 6 in this link

et voila. That's it. 

Hope that Atlassian Team @Gaurav will update this documentation.

cheers 

View More Comments
Patryk
Patryk
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 25, 2018

Hello Mohammed,

Are you certain that it was the native application that requires those rights? The permissions for the native applications are permissions for executing actions on Azure Active Directory, which is a capability that Crowd does not use. I've set up a test directory a moment ago without any additional permissions on the native application and didn't run into permission issues.

However since some Azure AD requires that "Grant permissions" is executed both on the web application, as well as the native one.

Best regards,

Patryk Petrowski

Like
M Amine
M Amine
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
July 26, 2018

Hi @Patryk,

Absolutely certain. Because before doing that I have clicked on Grant Permissions and confirmed for several times and the issue was the same as described. 

Then I added the API permissions and it worked. 

Let me know if you need more info or screenshots.

best regards

Like HarryH likes this
Reply
0 votes
Carl Pelletier
Carl Pelletier October 25, 2019

Hi, I configure Confluence to validate authentification with SAML/azure Ad. Done

I configure crowd a a Confluence directory. Done

I configure in Crowd a Azure directory to fetch users/groups from Azure Ad. Done

Now my question:

When a user authenticate to Confluence, The browser call Azure and the authentification is done. The token is send back to Confluence. Confluence validate if the user exist in the directory(Crowd). I

Is there a Communication with Crowd at this moment ? I guess that yes. What is sent to Crowd ? The user identifier? No password ?

How Crowd validate that user with the Azure Directory ?

 

Can you explain please? A communication flow diagram will be nice!

Thanks

Carl

Reply
0 votes
Carl Pelletier
Carl Pelletier October 17, 2019

Hi, the configuration section have change in Azure Ad. Can someone point me to the same configuration now?

API ACCESS section, click Required permissions. doesnt exists or I cant find it.

 

thanks

View More Comments
Gaurav
Gaurav
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 17, 2019

Hi @Carl Pelletier ,

Here's the documentation from Microsoft regarding what are the UI changes and how they relate to old one.

https://docs.microsoft.com/en-us/azure/active-directory/develop/app-registrations-training-guide#required-permissionsapi-permissions

You can keep following the Crowd's Azure integration documentation, and see the corresponding changes in this link regarding how to grant permissions.

We will be updating the Crowd's documentation as well.

Let me know if you need anything else.

 

Cheers!

Gaurav

Like
Carl Pelletier
Carl Pelletier October 17, 2019

Hi @Gaurav  Thanks for the quick answer!. It's now more clearer for me.

 

Can you tell me what grant I should give if I want Crowd to be able to authenticate my Confluence users with sso?

 

Thanks!

Like
Reply
0 votes
Gaurav
Gaurav
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 22, 2018

Hi Alae,

I would like to know why you cannot give users access to Jira or Confluence, you can configure Jira or Confluence applications in Crowd, and allow these applications to authenticate against your Azure Active Directory or a set of selected groups from the directory.

Though you can't create groups in Azure AD using Crowd, you can create them in Azure AD itself, and then use the groups to control access for applications in Crowd.

Coming to your question:

Yes, it is possible without any third party plugin. Please follow the documentation to configure Azure AD in Crowd, or skip this if you have already successfully connected to Azure AD and follow this documentation to connect JIRA to Crowd

Hope this helps, if not, please list out the problems in detail what you are facing.

View More Comments
Alae Loudiyi
Alae Loudiyi July 22, 2018

Dear Gaurav,

Thank you vm for your quick feedback. I will first upgrade Crowd because 3.2.1 is having some issues getting users' groups from Azure AD. 

Will let you know after the upgrade. 

Keep you posted. 

Like
KO89
KO89 July 1, 2019

Alae,

Any luck with this task?

Like
KO89
KO89 July 1, 2019

Disregard, just noticed that Azure MFA can't be used with Crowd soooo... i'll have to take a different route

Like
Reply

Suggest an answer

Log in or Sign up to answer
Crowd
Crowd
TAGS
AUG Leaders

Atlassian Community Events

    See all events