I am a bit confused about what Crowd does for me.
Most of my other "locally installed products" support windows integrated single sign on as part of the product.
Once properly configured, I do not need to sign into my internally hosted sites like Octopus Deploy, Team City etc. I can just click a link on the login page that say something like "Sign in with your Microsoft Windows Domain account". I click that and I am signed in. (I do not have to enter my domain credentials into those sites.)
But JIRA does not seem to have that 'In the Box" so we got Crowd. But, from what I have read recently, Crowd only provides integration between Atlassian products? (I am confused why the Atlassian products need to sell a separate product just so they can integrate...)
So, is the ability to just sign in to my Windows machine and then use those credentials not part of Jira?
I have read of some plugins that seem to offer this feature for extra money. But, since windows integration has been a free part of so many other products I have used, and since I had to buy a separate product to get "single sign on"... well I just found it hard enough to believe that this is not part of Crowd already that I thought I would ask before looking into a 3rd party solution.
The pass through authentication can be set up with IIS, but there is nothing in JIRA or Confluence to provide the functionality, the proxy does. Please see: Access Confluence using Integrated Windows Authentication via IIS with SP 2013
The purpose of Crowd is to get all the user management centralized so you can manage users and groups in one console, for all the applications connected to Crowd. Crowd single sign-on is very different from Windows pass through authentication. If you have Active Directory and IIS you may as well use that method. Not every enterprise has those resources; Crowd can provide centralized user management and SSO for Atlassian products without investing in AD.
Crowd is middleware that offers an amalgamated view of many directories and provides a singular platform to connect to other Atlassian Applications. Crowd offers cookie-based SSO: Logging into an Atlassian app stores a cookie that is interpreted as a session by other Atlassian apps. When you run 5+ applications at scale, these features become quite valuable.
I've had customers who found it valuable because they didn't have a proper LDAP either.
The problem here I feel is that you believe that SSO is a "feature" that can simply be enabled/disabled. That is wrong. Properly implementing single-sign on is much more complicated than that, especailly among multiple products. And, as you noticed, there's no explicit, built-in support, for other auth methods.
(Disclaimer: I work for the vendor of one of the plugins you mentioned in your post)
As of today Crowd has 3 main features:
Integrated Windows Authentication is an extra layer and you will actually need a third party solution for this (or develop it yourself). In fact this is exactly what our IWAAC plugin does (IWAAC stands for Integrated Windows Authentication for Apps using Crowd). You can see it in action here: https://www.youtube.com/watch?v=MPmx9ATD1wg
(Another disclaimer: I work for Kantega Single Sign-on which delivers Windows Integrated SSO (Kerberos) and SAML SSO to most of the Atlassian products.)
When Atlassian customers are looking for SSO, they sometimes (perhaps like Spephen) are referred to Crowd by the Atlassian documentation.
To get SSO through Crowd this requires you to buy, setup, maintain, understand a new application which will also be a sigle point of failure. Not only that, with Crowd SSO you are no longer able to log into the applications using local accounts,
There are a few vendors on the Marketplace that provide SSO just by installing an add-on. This way you can have SSO in a matter of minutes. You can keep managing users and groups like you always have.
Now if you are looking for a product that give you one place to manage all users and permissions, then that would be a reason to concider Crowd.
Why Atlassian doesn`t offer SSO out of the box I cannot answer, but I think all enterprise products should offer SSO.
Kantega Single Sign-on
Starting from version 3.0, Crowd is not a single point of failure anymore: https://confluence.atlassian.com/crowd/crowd-3-0-beta-release-notes-907350032.html
"Crowd Data Center brings high availability and fault tolerance to Crowd. By setting up multiple Crowd Data Center nodes, you can ensure uninterrupted availability of your user management and authentication services."
Yes, they do offer SAML SSO for datacenter , but not "Windows Integrated Single Sign On" which was the topic.
Datacenter is not available for all products, also leaving some out in the cold.
I`d say datacenter editions is only interesting for a limited number of organizarions.
Kantega Single Sign-on
Hey there! New in town? Check out the new Confluence product guides! They are chock-full of helpful tips, tricks, and best practices to get you and your team started. Here’s a quick overview...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events