It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

SOLVED: Crowd/Jira/Confluence integration with Azure AD for SSO (design & fail) Edited

I am exploring ways to integrate Jira, Confluence etc. with SSO to AzureAD. My idea so far is to use the direct directory integration of Crowd with Azure AD to provision users and groups. SSO auth with Atlassian tools should happen with snap-ins like "Microsoft Azure Active Directory single sign-on for JIRA".

This article seems to point in the same direction: 

https://community.atlassian.com/t5/Crowd-questions/Authenticate-Azure-AD-users-against-Crowd-and-Atlassian-products/qaq-p/849794

Has anybody get such an setup already up and running?

So far I fail already in my test setup with the following error message when trying to sync Crowd with AAD:

2019-02-19 09:31:45,005 Caesium-2-4 INFO [microsoft.aad.adal4j.AuthenticationAuthority] [Correlation ID: b28eb4bb-e5f4-4433-bb59-c4881b655d50] Instance discovery was successful
2019-02-19 09:31:46,520 Caesium-2-4 ERROR [atlassian.crowd.directory.DbCachingDirectoryPoller] Error occurred while refreshing the cache for directory [ 1277954 ].

Thanks a lot for your input!

Peter

2 answers

2 accepted

0 votes
Answer accepted

If anybody is interested: Works as expected! You can use all "bells and whistles" of Azure AD authentication as:

  1. Azure MFA (and other conditional access related protection)
  2. Password-free authentication with Authenticator app
  3. (USB) Token key MFA with third-party products like Duo security
  4. Support for external IDs (B2B guests)

Very cool stuff.

Would be nice to see Atlassian having an official documentation on that.

Hi Peter,

Maybe you can help us out;

  • We had an internal Atlassian environment for which we used a SAML SSO plugin to authenticate against Azure, wich is working fine
  • The user directory was directly retrieved from our internal AD
  • We are now migrating to a hosted environment which will not have access to our internal AD
  • By installing Crowd, we managed to setup the User directory against Azure AD, and we can now see the users in our tooling (tested with Jira & Confluence)
  • We would like to replace the SAML SSO plugins by the Crowd SSO plugin, in which Crowd would authenticate against Azure, just like in your setup.
  • Now we are however totally stuck within the documentation on how to move on from here.

Can you give us some pointers and/or share details of your setup? It would be much appreciated!

 

Kind regards,

Joost

Joost, I am using on-prem Crowd to sync accounts from Azure AD to Jira/Confluence. For Jira/Confluence auth happens with Microsoft‘s SSO plug-ins for AAD. I know, that the cloud version of Crowd supports SAML, but have never tried to use this for SSO.

Peter

Ok, thanks for your reply. We were hoping that Crowd would be able to replace any additional SSO plugins, but it seems to be only in addition then. The MS plugins are not available for Bitbucket & Bamboo as far as I know. That would then mean that users need to use Jira or Confluence before going to Bitbucket or Bamboo to have a full SSO experience. We will do some testing with this setup, and I'll let you know how it went.

 

kind regards,

Joost

I bumped into Crowd Data Server 3.4 with SSO 2.0. This might also be an SSO option with Azure AD completely build on Atlassian modules. Beside Jira and Confluence, it also supports Bitbucket Any experiences so far?

We did shortly look into that, and loaded a datacenter license. However, the system add-on in Jira and Confluence was reporting to be an incompatible version (which should not have been the case) , and could not be set up. 

 

We did install the MS add-on, and though it works, it is not the most beautiful solution out there. What we would like, is to have any user being redirected to the SSO when accessing the Jira/Confluence pages. With the MS Add-on, users still need to click the logon button, or use the direct SSO link. Compared to that the configurability of our current plugin is much nicer, so we will keep using that. With the combination of Crowd and the SAML SSO plugin, we have everything working, but we are still looking at another route, that would not require Crowd.

So what we are now trying to do, is setup a SLDAP server within Azure, and connect that as a user directory. This way we avoid the need for Crowd, simply for connecting to Azure. We will post an update when we have tried that.

kind regards

Joost, SLDAP within Azure means Azure AD Domain Services (AAD-DS), right? This approach would not allow you to have SSO with AAD neither AAD Conditional Access / MFA / password-free sign-in options. Is this what you are looking for?

Hi Joost,

thanks for speaking highly about our SAML Single Sign On Plugin.

I am not sure if you have seen this, but in the newer Versions our Plugin supports direct User Synchronisation with with Azure AD (and Okta, GSuite).

There may be no need for SLDAP. If you share your exact use case/requirements, I may be able to give you a bit more advice.

If you don't want to share your topology in a public Forum, you can also do this in a support case: https://resolution.de/go/support

Cheers,
    Christian

Full disclosure: I work for resolution GmbH, a marketplace vendor.

Suggest an answer

Log in or Sign up to answer
This widget could not be displayed.
This widget could not be displayed.
Community showcase
Posted Friday in Statuspage

Statuspage has 3 new integrations with Zendesk!

Incident response is a team sport, and customer support is an integral part of any team. While Ops is working hard to solve the problem at hand, support is on the front lines communicating with custo...

44 views 1 4
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you