I am looking for community advice on how best integrate existing on-prem Confluence, Jira Software with ADFS.
Currently, each application connects directly to an LDAP user directory (Active Directory). Vast majority of our users are AD users (99%) and practically all permissions and access rights are assigned via membership in AD groups. Overall, we have over 1000 users and groups in AD that are used by Confluence and Jira (space/project permissions, 3rd party addons permissions and such).
Both Confluence and Jira have a regular Server license (not DC), so there is no direct way to integrate with a SAML based IdP such as ADFS.
According to a diagram in this document here, using Atlassian Crowd might be a solution to overcome that limitation (scroll down to "using Atlassian Crowd ... with Active Directory Federation Services"), however the document doesn’t give any further details.
I have deployed a new Crowd instance, but it's not yet connected to any external directories (there is only one internal directory created by the setup wizard).
Specific questions that I'm looking for your input (focusing on Confluence first):
- How do I add (integrate) existing Confluence application into Crowd, and at the same time ensuring that existing AD users and groups continue to work as they do today (user permissions, access rights don't change)? Available documentation that I found so far covers only adding an application that uses local accounts and groups, whereas my application uses AD users and groups.
- After I have Crowd doing the authentication part for Confluence, how do I switch Crowd from LDAP to ADFS?
- Does this plan make sense (doable)? If I'm missing something and you would do it differently, what way would you do it?
Any advice and suggestions will be greatly appreciated!
Installed Crowd version: 3.7, Confluence: 7.1, Jira: 8.5
I believe there is a misunderstanding. Crowd does not integrate with ADFS via SAML. In the document you referred to it's the application itself that integrates with ADFS via SAML using a SAML app inside the application, whereas Crowd merely serves as the backend user directory, itself (optionally) integrated to the AD (which also happens to be "behind" ADFS). Crowd Data Center has an ability to be a SAML IdP but this is again not what you are after.
You don't really need Crowd. Your setup is 100% ready to integrate with ADFS by installing one of SAML SSO apps into your Jira Software and Confluence.
I work for Techtime, an Atlassian Marketplace Top Vendor and vendor of EasySSO app for Server and Data Center. We target complex environments where there may be a need for additional authenticators – besides SAML, we provide 4 more: NTLM, Kerberos, HTTP Headers and X.509. Because of that we could give you a standards-based SSO even without ADFS, but we work with AFDS too. Do give it a try, it should take you less than 5 minutes and our 24x7 support is here to help if required.
Thanks Ed. I was hoping I could use Crowd to connect my apps to ADFS without upgrading to Data Center, but if it's the only way, then I am going to take a closer look at available 3rd party add-ons, such as the one you suggested.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I'm looking at this now as well, to get out from under some dated Portal tech. Easy SSO appears to be working. However we have Crowd Server. It appears I would have to move to Crowd Data Center to bring ADFS / SAML into a single point of configuration. Really depends on whether you have Crowd in your environment or not. Easy SSO appears to be the way to go if you are running independent apps with separate directory connections.
Would love to hear what you've found or decided.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Again, there is some major misunderstanding here...
Crowd Data Center will NOT bring ADFS/SAML into "a single point of configuration". Crowd will be talking to AD (not ADFS) via LDAP. Applications in the backend may be connected to Crowd with separate Crowd directory connections. Applications, if you use Atlassian SSO, will be talking to Crowd via SAML (not to ADFS via SAML) using individual apps inside each application.
In general, all 3rd party SAML plugins will happily work with Crowd Server in the background. You may have some issues with auto-provisioning users.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I ended up using Kantega SSO 3rd party addon to connect both Jira and Confluence to ADFS IdP. They are on the higher end of price range, but in return I got a solution that meets my needs like it was specifically designed for it. A couple of things that weren't there at the start of my testing were added into the product within a couple of weeks.
Hope this helps.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@AR ,
In case, if you are still looking for an SSO solution for your Atlassian suite of the application while using crowd for user and group management. You can take a look into the Crowd SAML SSO Plugin and its connector add-on for Atlassian applications.
It will enable SAML SSO to your Atlassian application from any SAML IDP including ADFS.
You just need to connect Crowd to ADFS for SAML SSO and using the SSO connector, any user accessing the application gets redirected to ADFS for SSO.
Also, all the SSO requests and responses to and from ADFS will go through the Crowd server. The user authentication will be done by the ADFS and Crowd can be still be used to manage user permissions.
Thanks,
Lokesh
Full Discloser:- I work for miniOrange. In case if you need assistance with the setup, feel free to raise a support request here
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.