Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Windows Integrated Single Sign On


I am a bit confused about what Crowd does for me.

Most of my other "locally installed products" support windows integrated single sign on as part of the product. 

Once properly configured, I do not need to sign into my internally hosted sites like Octopus Deploy, Team City etc.  I can just click a link on the login page that say something like "Sign in with your Microsoft Windows Domain account".  I click that and I am signed in.  (I do not have to enter my domain credentials into those sites.)

But JIRA does not seem to have that 'In the Box" so we got Crowd.  But, from what I have read recently, Crowd only provides integration between Atlassian products?  (I am confused why the Atlassian products need to sell a separate product just so they can integrate...)

So, is the ability to just sign in to my Windows machine and then use those credentials not part of Jira? 

I have read of some plugins that seem to offer this feature for extra money.  But, since windows integration has been a free part of so many other products I have used, and since I had to buy a separate product to get "single sign on"... well I just found it hard enough to believe that this is not part of Crowd already that I thought I would ask before looking into a 3rd party solution.

4 answers

1 accepted

1 vote
Answer accepted
AnnWorley Atlassian Team May 31, 2017

The pass through authentication can be set up with IIS, but there is nothing in JIRA or Confluence to provide the functionality, the proxy does. Please see: Access Confluence using Integrated Windows Authentication via IIS with SP 2013

The purpose of Crowd is to get all the user management centralized so you can manage users and groups in one console, for all the applications connected to Crowd. Crowd single sign-on is very different from Windows pass through authentication. If you have Active Directory and IIS you may as well use that method. Not every enterprise has those resources; Crowd can provide centralized user management and SSO for Atlassian products without investing in AD.

Does this work for JSD/JIRA software?

0 votes

(Another disclaimer: I work for Kantega Single Sign-on which delivers Windows Integrated SSO (Kerberos) and SAML SSO to most of the Atlassian products.)

When Atlassian customers are looking for SSO, they sometimes (perhaps like Spephen) are referred to Crowd by the Atlassian documentation.

To get SSO through Crowd this requires you to buy, setup, maintain, understand a new application which will also be a sigle point of failure. Not only that, with Crowd SSO you are no longer able to log into the applications using local accounts,

There are a few vendors on the Marketplace that provide SSO just by installing an add-on. This way you can have SSO in a matter of minutes. You can keep managing users and groups like you always have.

Now if you are looking for a product that give you one place to manage all users and permissions, then that would be a reason to concider Crowd.

Why Atlassian doesn`t offer SSO out of the box I cannot answer, but I think all enterprise products should offer SSO.


Kantega Single Sign-on


Ahh, but they do bundle it! But only for Cloud and Datacenter offerings, and only for SAML. Normal server packages are left out in the cold. 

Starting from version 3.0, Crowd is not a single point of failure anymore:

"Crowd Data Center brings high availability and fault tolerance to Crowd. By setting up multiple Crowd Data Center nodes, you can ensure uninterrupted availability of your user management and authentication services."

Yes, they do offer SAML SSO for datacenter , but not "Windows Integrated Single Sign On" which was the topic.

Datacenter is not available for all products, also leaving some out in the cold. 

I`d say datacenter editions is only interesting for a limited number of organizarions.


Kantega Single Sign-on

I have never implemented Data Center for a single enterprise customer. My old consulting company only implemented it for a single customer.

In my opinion, the value added is not worth the cost.

0 votes

(Disclaimer: I work for the vendor of one of the plugins you mentioned in your post)

As of today Crowd has 3 main features:

  1. Centralized user management. As Ann pointed out, Crowd administration console is the unique place where you need to go to create/update/delete users and groups for all the applications connected to Crowd. Speaking of which, Atlassian products are not the only applications that can be integrated with Crowd. Liferay, Jenkins, Jama, JFrog and many other products including custom applications can integrate with Crowd.
  2. Virtual directory. You might have users and groups in many different back-end directories such as Active Directory, LDAP and so on. From an application's perspective, it doesn't matter as the application only sees Crowd as one unique front-end directory that aggregates all the users and groups from your different back-end directories.
  3. Web SSO. Once you have logged onto an application connected to Crowd, you won't have to enter your credentials again when browsing to other applications also connected to Crowd.

Integrated Windows Authentication is an extra layer and you will actually need a third party solution for this (or develop it yourself). In fact this is exactly what our IWAAC plugin does (IWAAC stands for Integrated Windows Authentication for Apps using Crowd). You can see it in action here:

0 votes

Crowd is middleware that offers an amalgamated view of many directories and provides a singular platform to connect to other Atlassian Applications. Crowd offers cookie-based SSO: Logging into an Atlassian app stores a cookie that is interpreted as a session by other Atlassian apps. When you run 5+ applications at scale, these features become quite valuable.

I've had customers who found it valuable because they didn't have a proper LDAP either.

The problem here I feel is that you believe that SSO is a "feature" that can simply be enabled/disabled. That is wrong. Properly implementing single-sign on is much more complicated than that, especailly among multiple products. And, as you noticed, there's no explicit, built-in support, for other auth methods.


Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Jira

Online AMA this week: Your project management questions answered by Jira Design Lead James Rotanson

We know that great teams require amazing project management chops. It's no surprise that great teams who use Jira have strong project managers, effective workflows, and secrets that bring planning ...

171 views 1 6
Read article

Atlassian Community Events