SOLVED: Crowd/Jira/Confluence integration with Azure AD for SSO (design & fail)

Hi Peter,

Maybe you can help us out;

• We had an internal Atlassian environment for which we used a SAML SSO plugin to authenticate against Azure, wich is working fine
• The user directory was directly retrieved from our internal AD
• We are now migrating to a hosted environment which will not have access to our internal AD
• By installing Crowd, we managed to setup the User directory against Azure AD, and we can now see the users in our tooling (tested with Jira & Confluence)
• We would like to replace the SAML SSO plugins by the Crowd SSO plugin, in which Crowd would authenticate against Azure, just like in your setup.
• Now we are however totally stuck within the documentation on how to move on from here.

Can you give us some pointers and/or share details of your setup? It would be much appreciated!

Kind regards,

Joost

Joost, I am using on-prem Crowd to sync accounts from Azure AD to Jira/Confluence. For Jira/Confluence auth happens with Microsoft‘s SSO plug-ins for AAD. I know, that the cloud version of Crowd supports SAML, but have never tried to use this for SSO.

Peter

Ok, thanks for your reply. We were hoping that Crowd would be able to replace any additional SSO plugins, but it seems to be only in addition then. The MS plugins are not available for Bitbucket & Bamboo as far as I know. That would then mean that users need to use Jira or Confluence before going to Bitbucket or Bamboo to have a full SSO experience. We will do some testing with this setup, and I'll let you know how it went.

kind regards,

Joost

I bumped into Crowd Data Server 3.4 with SSO 2.0. This might also be an SSO option with Azure AD completely build on Atlassian modules. Beside Jira and Confluence, it also supports Bitbucket Any experiences so far?

We did shortly look into that, and loaded a datacenter license. However, the system add-on in Jira and Confluence was reporting to be an incompatible version (which should not have been the case) , and could not be set up. 

We did install the MS add-on, and though it works, it is not the most beautiful solution out there. What we would like, is to have any user being redirected to the SSO when accessing the Jira/Confluence pages. With the MS Add-on, users still need to click the logon button, or use the direct SSO link. Compared to that the configurability of our current plugin is much nicer, so we will keep using that. With the combination of Crowd and the SAML SSO plugin, we have everything working, but we are still looking at another route, that would not require Crowd.

So what we are now trying to do, is setup a SLDAP server within Azure, and connect that as a user directory. This way we avoid the need for Crowd, simply for connecting to Azure. We will post an update when we have tried that.

kind regards

Joost, SLDAP within Azure means Azure AD Domain Services (AAD-DS), right? This approach would not allow you to have SSO with AAD neither AAD Conditional Access / MFA / password-free sign-in options. Is this what you are looking for?

Hi Joost,

thanks for speaking highly about our SAML Single Sign On Plugin.

I am not sure if you have seen this, but in the newer Versions our Plugin supports direct User Synchronisation with with Azure AD (and Okta, GSuite).

There may be no need for SLDAP. If you share your exact use case/requirements, I may be able to give you a bit more advice.

If you don't want to share your topology in a public Forum, you can also do this in a support case: https://resolution.de/go/support

Cheers,
    Christian

Full disclosure: I work for resolution GmbH, a marketplace vendor.

@Peter Meuser , I'm unclear on what you're saying - how specifically did you manage to get Crowd to handle MFA-enabled Azure AD users? You seem to be suggesting that you are using the native Crowd Azure AD connector, but I've confirmed only non-MFA users are currently able to login using the connector in Crowd 3.5.  

Edit: I see that you used the (never updated nor supported) Microsoft plugin to provide SSO for Jira/Confluence. That explains how you got this working - sorry for missing your post.

Hi,

Can anyone tell me if this solution is available without Crowd?  We are looking to connect Jira and Confluence to AzureAD and would like to use AD groups for authorization and SSO for authentication.

I did some trials of the SSO, but couldn't get the LDAP to sync for the groups/roles access.

regards

Warwick

Hi Peter, did you manage to address this? We may be observing a similar issue with external users and the plugin

(It is working for external Gmail users with a MS live account, but failing for other users with their own external AzureAD accounts - those accounts can successfully access other resources on our Office365 area, e.g. SharePoint, so we know their external SSO accounts are working...just not through JIRA)

Please have a look at the recently introduced value "user.localuserprincipalname" for an additional claim in SSO section of your AAD enterprise app setting.

Much appreciated for the pointer there @Peter Meuser - claim added and awaiting feedback

Thanks for the update, going to test and hope for the best.

@Peter Meuser , thanks for your help here - updating the SSO claim value has worked and our external users now have access! Much appreciated.

@Stephen Neil  You can confirm the new claim value truncates the #ext#xxx.onmicrosoft.com from the principal name?

Hi @Owens K we use Crowd to sync our AD users with JIRA. 

In AD the external guest account username is username@externaldomain.com

The synced username in JIRA is username_externaldomain#EXT#@mydomain.onmicrosoft.com (their email address on the JIRA user record is username@externaldomain.com)

After updating the Unique User Identifier claim value in the JIRA SSO app to "user.localuserprincipalname" I can confirm that our external users have been able to sign in at the SSO screen using username@externaldomain.com

Awesome, thanks @Stephen Neil . I'll give it a go in my environment as well.

For anyone who may need this, I can confirm as well that the claim "user.localuserprincipalname" works for the Atlassian application if using external guest accounts.

Joost, if you do not rely on Crowd on-prem, this is a valid approach, too.

"SLDAP for Azure" means, you have enabled the additional product "Azure AD Domain Services", right?

It would be nice to see, that Atlassian supports Azure AD beside AD in all their products, so that Crowd, AAD-DS, third-party tools which all add complexity are not required anymore.

@Joost van Orsouw , Thank you so much for sharing your experience. Yes, it'd be greatly appreciated and helpful if you could send your setup doc. What's the best way I send my email address to you?

Give me some time tomorrow, and I'll create a short setup guide for it. Maybe we can post it here, otherwise I will share a link

kind regards

Joost

@Joost van Orsouw could you please share a brief setup doc?
thank you!

@Joost van Orsouw

Are you using on-prem Atlassian products or Cloud? If on Cloud, is this setup for AzureAD SSO with Atlassian possible without subbing to Atlassian Access?

Thanks!

Tony, the trick is, that you don't use Crowd for SSO. The approach that I have followed is to install SSO plug-ins for AAD from Microsoft on Jira and Confluence. These support of course all AAD supported sign-in methods incl. conditional access and MFA. Crowd is just used as central user directory for Jira and Confluence. You can sync users between Crowd and AAD and then from Crowd to Jira/Confluence. This is how it works for me in a PoC for a larger environment.

Peter, Thank you and thank you for the quick response.

Regards,

Tony

Hi Peter,

the Alternative to this can be one of the commercial Plugins like ours. For example with our Plugin you can synchronise Users straight into Confluence / Jira and also do all the authentication via SAML.

So depending on our exact setup you could get some of these benefits:

• No need for Crowd (Licensing + Server + Operational costs)
• As SSO is the only Way for Users to login, most of our customers see this as business critical and hence want a Solution that has official & commercial support.
• As a Top vendor we have to deliver compatible versions to the newest Atlassian products within 14 days of release (usually it's within hours, as we get access to Beta releases).
• Our plugin supports a variety of additional features, that very often are reuqired in enterprise deployments (multiple IdPs, single logout, encryption, group/user filtering & transformations just to name a few).
• Our Plugins are available for all Atlassian Products not just Jira/Confluence. 

In short there are multiple Ways to get to a working solution - you need to judge depending on your use case, which one suits you better.

Here are our plugins on the marketplace: https://marketplace.atlassian.com/vendors/1210947/resolution-reichert-network-solutions-gmbh

We are not the only choice, there are more: https://marketplace.atlassian.com/search?query=saml

Here is the Setup for Azure AD described: https://wiki.resolution.de/doc/saml-sso/latest/all/setup-guides-for-saml-sso/azure-ad/azure-ad-with-user-sync

Cheers,
   Chris