Hello,
We're currently using Crowd as SSO between Jira and Confluence connected to Azure Active Directory, which syncs all users, groups etc which is working well, however Crowd doesn't support Azure MFA and so if a user has MFA enabled, this stops them from being able to login at all to Jira and Confluence.
This is a known limitation (https://jira.atlassian.com/browse/CWD-5322).
Therefore, are there any third-party plugins that support Azure MFA? From what I can see there are none as yet in the Marketplace.
Thanks
Hi @Ariel Perez ,
In Crowd SSO, all the user authentication will be done on the backend, in this case, Azure does not have an optional prompt for the MFA authentication.
There are multiple add-ons in the marketplace which you can use to connect JIRA and Confluence to Azure AD for SSO and on top of that, you can enable Azure AD MFA as well.
I work for the miniOrange one of the top SSO vendors in the Atlassian Marketplace and we have a plugin that you are looking for.
Here, you will need to install three plugins.
Using the SSO connector, any user accessing that application gets redirected to Azure AD for SSO.
In this case, all the SAML SSO requests and responses to and from Azure AD will go through the Crowd server. The user authentication and MFA will be done by the Azure AD and Crowd can be still be used to manage user and their permissions for JIRA and Confluence.
Also, you don't need to changes any structure or configuration of your existing Crowd SSO setup, All the additional configuration you can do from the plugin's UI.
You also can reach out from our customer portal for more details.
Thanks,
Lokesh
Hi @Ariel Perez ,
our Plugins fully support authentication via SAML to Azure AD including the use of MFA. It's actually quite a common use case.
In your scenario you have to ways to configure our plugin:
1. Leave Crowd as the directory for your Atlassian Application.
In this scenario, you leave Crowd in place to synchronize the Users with Azure AD into the Atlassian Applications. Our plugin then only does the authentication part towards AzureAD. In both your Confluence & Jira, you disable the Crowd authenticator, install & configure out plugin.
When a user is not logged into the Atlassian Application yet, he gets redirected to Azure AD - if he is authenticated there already then he gets redirected straight back. If not Azure AD prompts for the password & MFA if configured so.
This is a good solution if you still manage many groups locally in Crowd across all Applications.
Here are some of the documentation links for this kind of setup: https://wiki.resolution.de/doc/saml-sso/latest/all/setup-guides-for-saml-sso/azure-ad/azure-ad-with-manual-provisioning
2. Use our Plugin to Authenticate & Synchronize Users from Azure AD.
Our Plugin has the functionality to not just authenticate Users but also to synchronize them into the Atlassian Application via the Azure AD API.
Effectively eliminating the need for Crowd in this particular instance.
This is a good solution if your Azure AD is the source of truth for both Users & Groups so that there is no (or very little) local group management that needs to be available in both Confluence & Jira.
Here are some of the documentation links for this kind of setup: https://wiki.resolution.de/doc/saml-sso/latest/all/setup-guides-for-saml-sso/azure-ad/azure-ad-with-user-sync
Cheers,
Chris
P.S. Full disclosure, I work for resolution, a marketplace vendor.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.