Hello
I have a JIRA CROWD installation with CROWD: JIRA, confluence, bitbucket, bamboo, fisheye, crucible, on Server 2008 R2. Users log onto ActiveDirectory then web interface to JIRA and use another name and password to authenticate to confluence, bitbucket, bamboo, fisheye, crucible.
How do I setup Crowd with ActiveDirectory to have the ActiveDirectory user name and password use the CROWD applications?
Is there a way that this will log , confluence, bitbucket, bamboo, fisheye, crucible in the Server 2008 R2 Event Logs?
I don't need SSL
Thanks
T
Hello, I am headed into work to try this,
Re-reading your responses, I am looking for staff to login into ActiveDirectory (obviously authenticating with a user name and password), then accessing Confluence, Bitbucket, Bamboo, JIRA with their Windows Authentication, and not having to renter a second JIRA / Atlassian user name and password.
Adding any type of Active Directory LDAP connection will not so this alone, I need to:
1. Create the groups in AD and Add Users
"bitbucket-users"
"bitbucket-administrators"
“bamboo-users”
“bamboo-administrators”
“confluence-users”
“confluence-administrators”
Enabling SSO at the Atlassian JIRA Server
2. And get the IWAAC Kerberos SSO add-on
3. Then Crowd -> Active Directory and IWAAC -> Active Directory
Thank you sir
T
You're welcome!
More precisely I would say
For steps 1 to 3, I suggest that you follow Atlassian's instructions for Crowd integration.
For step 4, please follow the instructions at https://www.cleito.com/products/iwaac/documentation/
We (at Cleito) will also be happy to assist you if you need help. Please contact us at support@cleito.com
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you Bruno. Just checking has anything changed with above steps with recent versions of crowd?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
No, as of today nothing has changed 😊
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
How can we create a filter so we don't sync all active directory into crowd and just sync the groups for example "bitbucket-users" and "bitbucket-administrators"?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
My understanding is that you only want to see the "bitbucket-users" and "bibucket-administrators" groups in the Groups tab of your Active Directory connector in Crowd.
You just need to set the following filter in the Group object filter field of the Configuration tab:
(&(objectCategory=Group)(|(cn=bitbucket-users)(cn=bitbucket-administrators)))
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Excellent! That worked. I've to click on synchronise on Crowd and Bitbucket directories to take immediate effect.
I guess creating such filters with only the required groups is a good practice. Please let me know your thoughts on this.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
One last question, if I may.
Can you assign rights with this? I you wanted some user to have Read only with bamboo, and one user to have Write with Bitbucket can you do that?
I guess what I am asking is how do you setup SSO rights in AD (I assume with GPO) and have those rights in Atlassian?
Thanks
T,
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Yes, you can assign rights but it does not work the way you think.
Let's suppose you have Active Directory groups such as "bamboo-users", "bamboo-administrators", "bitbucket-users" and "bitbucket-administrators". You can configure Crowd so that only users who belong to the "bamboo-users" group will be able to log onto Bamboo, even if they previously got a Crowd SSO cookie when authenticating on Bitbucket.
You set up fine-grained rights such as the ones you mentioned in the applications themselves (e.g: read rights for "bamboo-users", read/write rights for "bamboo-administrators").
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you very much, the team was looking to have SSO and this looks like it is it,
Thank you again,
Sincerely,
T
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
If you want Web SSO between your Atlassian applications (which means users log onto the Web interface of - let's say - JIRA and then are not asked to authenticate again on Confluence, Bitbucket etc.), you will need these applications to connect to a standalone Crowd server for user management (when reading your question, I thought you might be talking about Crowd embedded in Jira, which does not provide Web SSO).
Once done, if you still don't get Web SSO, that's probably because you forgot to enable SSO in the corresponding configuration file (seraph-config.xml for most applications). Please take a look at the following pages:
In addition, if you want "full" Windows desktop SSO (which means that your users log onto Windows and then can use Atlassian applications without being asked any username and password), you will need to get the following add-on: IWAAC Kerberos SSO
(Disclaimer: I work for the plugin's vendor)
You can see IWAAC in action in the following video:
https://youtube.com/watch?v=MPmx9ATD1wg
Finally, to answer your last question, you can obviously follow LDAP (Crowd -> Active Directory) and Kerberos (IWAAC -> Active Directory) events in the Event Logs of your AD domain controller.
Bruno
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.