Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Azure AD authentication before logging into Jira/Confluence

Jorden Van Bogaert
Jorden Van Bogaert
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 2, 2021

We're having quite an interesting use case, which I would love to hear ideas/recommendations for.

 

Current Situation

We have a current setup where users have to connect via a VPN to access Jira, Confluence, Bitbucket & Bamboo. Some content on Jira & Confluence is "public", so available for anyone without logging in. The VPN makes it so that only company employees are able to view this content as they have to login to the VPN first.

Other users, that need to update the content or work on issues, login to the tools which authenticates to the Active Directory via Crowd. Single Sign On is not enabled currently.

 

Problem

The VPN is slowly fading out of the business, making our tools one of the few to live behind them. While trying to onboard other teams across the organization, we encountered users that can no longer work with the VPN.

 

Solution

We're now looking for a way to remove the VPN, while preserving the ability to have some content public, without actually putting it out in the open for the entire internet to read.

We have lots of features of Azure, so many teams are looking into possible solutions, but I wanted to check if there are others out there who have a similar setup.

Our idea would be to create some sort of environment where users are brought to a login page, where they enter their AD credentials and login with 2FA. While being logged in there, they should be able to browse the available content that is 'public'. They can choose to login to the specific Jira or Confluence, but don't have to if they don't have a license.

If they haven't logged in to the central page with 2FA, they should not be able to view the tools at all.

So basically we are looking at ways to let people pre-authenticate on the AD, providing them access to the tools, without being logged in to the tools (so that we don't need to have a thousand fold of our current licenses).

 

Any ideas or similar use cases?

Looking forward for any feedback!

Answer
Watch
Like Be the first to like this
1479 views

6 answers

1 vote
Lokesh Naktode_miniOrange
Lokesh Naktode_miniOrange
Atlassian Partner
February 2, 2021

Hi @Jorden Van Bogaert 

Interesting requirements. We are one of the top SSO vendors in the Atlassian Marketplace and have received a similar request explicitly for Confluence. We have achieved this requirement using the guest login feature available in our SSO plugin.

This requires all the users attempting to access the application must be authenticated from SAML/OAuth IDP. If their account exists in Confluence, they will be logged into their account, but if not a guest session will be invoked on successful SSO which allows them to access public pages for some time (30 minutes and can be configured) without creating their account/session in Confluence.

You are talking about Azure, do you have Azure AD(Cloud) or just using Crowd as a user directory and authentication source for all the applications. For your case, we can integrate Azure AD/Crowd with the application as SAML IDP + 2FA and enable the guest login to achieve your requirement.

PS - I work for the miniOrange one of the top SSO vendors.
In case if you have a further query or looking for a POC, please reach out to miniOrange Support.

Reply
0 votes
Jorden Van Bogaert
Jorden Van Bogaert
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 3, 2021

Very interesting then, thanks for all the info! Helps a lot!

Reply
0 votes
Lokesh Naktode_miniOrange
Lokesh Naktode_miniOrange
Atlassian Partner
February 3, 2021

@Jorden Van Bogaert 

Yes, all your requirements will be satisfied.

All the users accessing confluence will be forced to login with corporate credentials. Without authentication from IDP (corporate credentials), they won't be able to access any of the pages of the Confluence even the public pages.

Now, if the user has an account and access to confluence then his confluence session will be started (as usual) otherwise user will not be logged in to confluence but will be allowed to see the public pages.

I hope this helps.

I recommend you to reach out to miniOrange support so that team here can get on a call with you and if needed customize the plugin for your requirement.

 

Reply
0 votes
Jorden Van Bogaert
Jorden Van Bogaert
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 3, 2021

Hi @Lokesh Naktode_miniOrange 

It differs a little from our requirements, which are as such:

  1. User needs to login with corporate credentials before accessing Confluence at all.
  2. If the user has no Confluence login, they should be able to access anonymous pages ONLY if they are logged via Corporate credentials on a central login page.
  3. If the user has not logged in via the central login page, they should not be able to view any page of Confluence, not even the anonymously visible ones.

Hope this makes sense, it's a really complex case.

Kind regards

Reply
0 votes
Lokesh Naktode_miniOrange
Lokesh Naktode_miniOrange
Atlassian Partner
February 3, 2021

Hi @Jorden Van Bogaert 

Here is the scenario which helps you to understand the proposed solution.

1. User already exists in confluence --> Once the authentication is done from IDP, they will be logged to confluence and see the pages they are authorized for(including public pages).

2.  User does not exist in confluence -->Once the authentication is done from IDP, the user will be redirected to the confluence and can only see the public pages (anonymously accessible) but the user will not be logged in to confluence.

Please reach out to miniOrange support and I will arrange a demo for you.

PS - I work for the miniOrange one of the top SSO vendors.

Reply
0 votes
Jorden Van Bogaert
Jorden Van Bogaert
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 3, 2021

Hi @Lokesh Naktode_miniOrange 

The SSO plugin sounds interesting. Currently we have some confluence spaces that are anonymously accessible so that we don't need to give Confluence user licenses to those who only read.

But with the SSO add-on, when they login with their corporate account, won't they use a Confluence license? We do want them to login to view the content, but without actually have them login to Confluence as that would require a valid user license.

How would that work with the plugin? And is the same possible for Jira?

Thanks in advance!

Reply

Suggest an answer

Log in or Sign up to answer
Crowd
Crowd
TAGS
AUG Leaders

Atlassian Community Events

    See all events