You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
I have a JIRA CROWD installation with CROWD: JIRA, confluence, bitbucket, bamboo, fisheye, crucible, on Server 2008 R2. Users log onto ActiveDirectory then web interface to JIRA and use another name and password to authenticate to confluence, bitbucket, bamboo, fisheye, crucible.
How do I setup Crowd with ActiveDirectory to have the ActiveDirectory user name and password use the CROWD applications?
Is there a way that this will log , confluence, bitbucket, bamboo, fisheye, crucible in the Server 2008 R2 Event Logs?
I don't need SSL
Hello, I am headed into work to try this,
Re-reading your responses, I am looking for staff to login into ActiveDirectory (obviously authenticating with a user name and password), then accessing Confluence, Bitbucket, Bamboo, JIRA with their Windows Authentication, and not having to renter a second JIRA / Atlassian user name and password.
Adding any type of Active Directory LDAP connection will not so this alone, I need to:
1. Create the groups in AD and Add Users
Enabling SSO at the Atlassian JIRA Server
2. And get the IWAAC Kerberos SSO add-on
3. Then Crowd -> Active Directory and IWAAC -> Active Directory
Thank you sir
More precisely I would say
For steps 1 to 3, I suggest that you follow Atlassian's instructions for Crowd integration.
For step 4, please follow the instructions at https://www.cleito.com/products/iwaac/documentation/
We (at Cleito) will also be happy to assist you if you need help. Please contact us at firstname.lastname@example.org
Thank you Bruno. Just checking has anything changed with above steps with recent versions of crowd?
My understanding is that you only want to see the "bitbucket-users" and "bibucket-administrators" groups in the Groups tab of your Active Directory connector in Crowd.
You just need to set the following filter in the Group object filter field of the Configuration tab:
Excellent! That worked. I've to click on synchronise on Crowd and Bitbucket directories to take immediate effect.
I guess creating such filters with only the required groups is a good practice. Please let me know your thoughts on this.
One last question, if I may.
Can you assign rights with this? I you wanted some user to have Read only with bamboo, and one user to have Write with Bitbucket can you do that?
I guess what I am asking is how do you setup SSO rights in AD (I assume with GPO) and have those rights in Atlassian?
Yes, you can assign rights but it does not work the way you think.
Let's suppose you have Active Directory groups such as "bamboo-users", "bamboo-administrators", "bitbucket-users" and "bitbucket-administrators". You can configure Crowd so that only users who belong to the "bamboo-users" group will be able to log onto Bamboo, even if they previously got a Crowd SSO cookie when authenticating on Bitbucket.
You set up fine-grained rights such as the ones you mentioned in the applications themselves (e.g: read rights for "bamboo-users", read/write rights for "bamboo-administrators").
If you want Web SSO between your Atlassian applications (which means users log onto the Web interface of - let's say - JIRA and then are not asked to authenticate again on Confluence, Bitbucket etc.), you will need these applications to connect to a standalone Crowd server for user management (when reading your question, I thought you might be talking about Crowd embedded in Jira, which does not provide Web SSO).
Once done, if you still don't get Web SSO, that's probably because you forgot to enable SSO in the corresponding configuration file (seraph-config.xml for most applications). Please take a look at the following pages:
In addition, if you want "full" Windows desktop SSO (which means that your users log onto Windows and then can use Atlassian applications without being asked any username and password), you will need to get the following add-on: IWAAC Kerberos SSO
(Disclaimer: I work for the plugin's vendor)
You can see IWAAC in action in the following video:
Finally, to answer your last question, you can obviously follow LDAP (Crowd -> Active Directory) and Kerberos (IWAAC -> Active Directory) events in the Event Logs of your AD domain controller.