Windows Integrated Single Sign On Edited

I am a bit confused about what Crowd does for me.

Most of my other "locally installed products" support windows integrated single sign on as part of the product. 

Once properly configured, I do not need to sign into my internally hosted sites like Octopus Deploy, Team City etc.  I can just click a link on the login page that say something like "Sign in with your Microsoft Windows Domain account".  I click that and I am signed in.  (I do not have to enter my domain credentials into those sites.)

But JIRA does not seem to have that 'In the Box" so we got Crowd.  But, from what I have read recently, Crowd only provides integration between Atlassian products?  (I am confused why the Atlassian products need to sell a separate product just so they can integrate...)

So, is the ability to just sign in to my Windows machine and then use those credentials not part of Jira? 

I have read of some plugins that seem to offer this feature for extra money.  But, since windows integration has been a free part of so many other products I have used, and since I had to buy a separate product to get "single sign on"... well I just found it hard enough to believe that this is not part of Crowd already that I thought I would ask before looking into a 3rd party solution.

4 answers

This widget could not be displayed.
Ann Worley Atlassian Team May 31, 2017

The pass through authentication can be set up with IIS, but there is nothing in JIRA or Confluence to provide the functionality, the proxy does. Please see: Access Confluence using Integrated Windows Authentication via IIS with SP 2013

The purpose of Crowd is to get all the user management centralized so you can manage users and groups in one console, for all the applications connected to Crowd. Crowd single sign-on is very different from Windows pass through authentication. If you have Active Directory and IIS you may as well use that method. Not every enterprise has those resources; Crowd can provide centralized user management and SSO for Atlassian products without investing in AD.

Does this work for JSD/JIRA software?

This widget could not be displayed.
Steven Behnke Community Champion May 31, 2017

Crowd is middleware that offers an amalgamated view of many directories and provides a singular platform to connect to other Atlassian Applications. Crowd offers cookie-based SSO: Logging into an Atlassian app stores a cookie that is interpreted as a session by other Atlassian apps. When you run 5+ applications at scale, these features become quite valuable.

I've had customers who found it valuable because they didn't have a proper LDAP either.

The problem here I feel is that you believe that SSO is a "feature" that can simply be enabled/disabled. That is wrong. Properly implementing single-sign on is much more complicated than that, especailly among multiple products. And, as you noticed, there's no explicit, built-in support, for other auth methods.

 

This widget could not be displayed.
Bruno Vincent Community Champion May 31, 2017

(Disclaimer: I work for the vendor of one of the plugins you mentioned in your post)

As of today Crowd has 3 main features:

  1. Centralized user management. As Ann pointed out, Crowd administration console is the unique place where you need to go to create/update/delete users and groups for all the applications connected to Crowd. Speaking of which, Atlassian products are not the only applications that can be integrated with Crowd. Liferay, Jenkins, Jama, JFrog and many other products including custom applications can integrate with Crowd.
  2. Virtual directory. You might have users and groups in many different back-end directories such as Active Directory, LDAP and so on. From an application's perspective, it doesn't matter as the application only sees Crowd as one unique front-end directory that aggregates all the users and groups from your different back-end directories.
  3. Web SSO. Once you have logged onto an application connected to Crowd, you won't have to enter your credentials again when browsing to other applications also connected to Crowd.

Integrated Windows Authentication is an extra layer and you will actually need a third party solution for this (or develop it yourself). In fact this is exactly what our IWAAC plugin does (IWAAC stands for Integrated Windows Authentication for Apps using Crowd). You can see it in action here: https://www.youtube.com/watch?v=MPmx9ATD1wg

This widget could not be displayed.

(Another disclaimer: I work for Kantega Single Sign-on which delivers Windows Integrated SSO (Kerberos) and SAML SSO to most of the Atlassian products.)

When Atlassian customers are looking for SSO, they sometimes (perhaps like Spephen) are referred to Crowd by the Atlassian documentation.

To get SSO through Crowd this requires you to buy, setup, maintain, understand a new application which will also be a sigle point of failure. Not only that, with Crowd SSO you are no longer able to log into the applications using local accounts,

There are a few vendors on the Marketplace that provide SSO just by installing an add-on. This way you can have SSO in a matter of minutes. You can keep managing users and groups like you always have.

Now if you are looking for a product that give you one place to manage all users and permissions, then that would be a reason to concider Crowd.

Why Atlassian doesn`t offer SSO out of the box I cannot answer, but I think all enterprise products should offer SSO.

Lars,

Kantega Single Sign-on

 

Steven Behnke Community Champion Jun 01, 2017

Ahh, but they do bundle it! But only for Cloud and Datacenter offerings, and only for SAML. Normal server packages are left out in the cold. 

Bruno Vincent Community Champion Jun 01, 2017

Starting from version 3.0, Crowd is not a single point of failure anymore: https://confluence.atlassian.com/crowd/crowd-3-0-beta-release-notes-907350032.html

"Crowd Data Center brings high availability and fault tolerance to Crowd. By setting up multiple Crowd Data Center nodes, you can ensure uninterrupted availability of your user management and authentication services."

Yes, they do offer SAML SSO for datacenter , but not "Windows Integrated Single Sign On" which was the topic.

Datacenter is not available for all products, also leaving some out in the cold. 

I`d say datacenter editions is only interesting for a limited number of organizarions.

Lars,

Kantega Single Sign-on

Steven Behnke Community Champion Jun 01, 2017

I have never implemented Data Center for a single enterprise customer. My old consulting company only implemented it for a single customer.

In my opinion, the value added is not worth the cost.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Feb 27, 2018 in Crowd

The Crowd team is looking for feedback on Server & Data Center customers' identity strategies!

Do you own more than one Server or Data Center product? Do you have challenges provisioning users across your Atlassian products? Are you spending a lot of time integrating each Atlassian product wit...

1,462 views 6 14
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you