Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,458,061
Community Members
 
Community Events
176
Community Groups

How do you auto-provision users to applications with Crowd?

In the past, I've tied the various Atlassian apps directly to AD/LDAP, using the "add to group on first login" feature. This worked well for our needs, as it allowed the apps to "see" all users in the corp directory, for mentions and such, yet only consume licenses when the user actually logged in, thus becoming a member of the "can use" group for that app.

I'm trying to re-create this behavior in Crowd, and so far, have been unsuccessful.

I see that there's an option to auto-add users to groups upon authentication at the directory level. It seems that if I were to use that though, I would be provisioning a user for multiple apps when they first login to any of the apps. That's not what I want.

Searching on answers I found a few responses around using a directory per application approach, which each directory pointing to the same backend (AD in our case) source. It's my impression that in doing so though, you break SSO. It also seems horribly inefficient and confusing.

I certainly don't want to be a gatekeeper to users gaining access to the tools and information they need by manually provisioning and adding users to groups all the time. We want everyone to automatically have access to the various "general use only" content across the tools without tickets and requests for access.

It's also very important that Confluence and others support the notion of mentioning users regardless of their "can use" status in the apps. We're trying to foster collaboration, and expect mentions to draw people in.

I feel like I'm missing something, because Crowd seems to be making this harder than going direct to AD, and I was under the impression I'd have more control, not less.

1 answer

0 votes

Hi Mark,

Unfortunately the default groups memberships upon successful authentication actually works at the directory level in Crowd. If not already done, you might want to vote for this improvement request: https://jira.atlassian.com/browse/CWD-3726

I've seen a few pointers that suggest that, and I was hoping it was either stale data, or I was just misunderstanding things.

As far as I can tell, if you use Crowd, you lose:

  • the ability to mention users who've never logged in
  • the ability to auto-provision users per application

but gain:

  • centralized (albeit manual/scripted) user management
  • SSO

The centralized user management can be mitigated if the various apps are all tied into AD/LDAP.

I'm not sure I'm seeing SSO as enough of a benefit to negate auto provisioning and mentions.

This is really disappointing, as Crowd was to be a key component in our new deployment. We may have to re-think this.

 

 

 

Suggest an answer

Log in or Sign up to answer
TAGS

Atlassian Community Events