SSO Solution

Thomas August 11, 2020

Hey, community! I require your help.

I need to realize the work of SSO for JSD. I want to make it possible for my users to log in to the portal without entering their username and password. The accounts of the users are stored in AD. As far as I know, SSO for JSD is not supported, only through third-party apps (SSO integration with JIRA Service Desk – JSDSERVER-630).

Can you tell me if there is a solution for this case? But without purchasing a third-party application.

Users must access the JSD portal without entering their username and password, and without purchasing a third-party app.

Maybe there are some free apps that you can suggest to me to solve this case.

2 answers

1 accepted

0 votes
Answer accepted
Trevan Householder_Isos-Tech-Consulting_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 11, 2020

@Thomas You'll need an app for this.  There is currently no way to do SSO for Jira / JSD Server without an app.

Clients ask that question a lot and I always recommend this app because it just works and it's easy to configure.

Good luck!

Thomas August 11, 2020

@Trevan Householder_Isos-Tech-Consulting_ I didn't learn the topic very well, but what do you say about it:

Writing a custom authenticator

Jira and Confluence integrate with SSO system Seraph, the Atlassian authentication library. Seraph is a very simple, pluggable J2EE web application security framework developed by Atlassian and used in our products.

Seraph allows you to write custom authenticators that will accept the login credentials of your existing single sign-on system.

A few tips for writing your own custom authenticator for Confluence:

  • For Confluence 2.2 and above you must extend com.atlassian.confluence.user.ConfluenceAuthenticator instead of the Seraph DefaultAuthenticator.
  • The authenticator should not be a plugin. It should be placed in the class path by putting it in WEB-INF/classes or as a jar in WEB-INF/lib
  • The authenticator should have a public constructor that takes no arguments.
  • Dependency injection via setters or auto-wiring by name is not available to authenticators. Use ContainerManager.getInstance(...) instead.
  • The authenticators are constructed before beans are available via ContainerManager.getInstance(...), so the getInstance method needs to be called at runtime and not in the constructor.

These same restrictions apply for JIRA as well, except that:

  • The base class to use is com.atlassian.jira.security.login.JiraSeraphAuthenticator
  • Components are obtained with ComponentAccessor.getComponent(...).

Check out these examples:

There has been a discussion of integrating with Siteminder on the mailing list that may be applied to Jira integration. All third-party code must be treated with caution - always backup your Confluence instance before use. If you create a custom SSO plugin and would like to contribute it to the user community, please let us know on a support ticket. You can also browse the Seraph Discussion Forums.

Is it worth digging into this subject or will it be useless?

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
August 11, 2020

That is essentially "how to write your own 3rd party application".  If you're willing to do that just to avoid using someone else's app, then yes, it's a good place to start.

It would be worth weighing up the reasons for not wanting a 3rd party app - if it's purely cost for example, then you are probably going to find it more expensive to employ a team to write and support this than it is to buy a 3rd party app.

Like Trevan Householder likes this
Thomas August 12, 2020

Thanks for your clarification. I was hoping that such a solution as SSO will be available to JSD for free or will be integrated into the product.

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
August 12, 2020

There are too many ways to do SSO at the moment, it's not (economically) possible to code for everything as part of the core product.

Atlassian have done what everyone else has done - built in as much as they can that is standard, and then relied on the vendors of SSO products to do the rest.  (Although, yes, I would totally agree if you were to say that they've done the absolute minimum to enable it)

The machine I use for work currently has almost 30 ways to identify me to various organisations, and most of them provide SSO as an adjunct.

SSO is not a single thing you can just do.  Every way to do it depends on your service providers.

The market is still in a huge state of flux.  Some providers are (or were) emerging as the leaders in the field, but then Google announces that they're killing off most of the methods they use in the world's most popular browser, and so there's more turmoil.

There's no way to "integrate SSO into the product" until the world has settled on a single standard way to do it.  I'm middle-aged, but close to "old".  But I don't expect this to be done in my lifetime unless the AIs take over.

Thomas October 21, 2020

Time will tell.

0 votes
Andrew Laden
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 11, 2020

You may want to look at Atlassian Crowd. It is from Atlassian, so its not a third party product. Though it is a separate product and license.

It is their "enterprise" solution for single sign on across multiple Atlassian Applications. It has more integration possibilities. 

Thomas August 12, 2020

Thank you! It's a sad thing that Crowd is chargeable. It looked to me that such a simple solution as SSO will be available for JSD.

Trevan Householder_Isos-Tech-Consulting_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 12, 2020

Crowd works great, but you'll need to know that JSD customers added to Crowd consume a Crowd license (not a JSD license, but a Crowd license). 

https://community.atlassian.com/t5/Crowd-questions/JSD-customers-are-counted-for-crowd-licensing-during-SSO/qaq-p/805133

https://jira.atlassian.com/browse/CWD-4116?_ga=2.234719194.590685323.1597185092-1551811082.1597088881

For this reason, some companies use Okta so they don't have to pay for Crowd licenses for Customers.

Thomas October 6, 2020

@Trevan Householder_Isos-Tech-Consulting_could you give me a quick link to Okta? Is it an app or something else?

Trevan Householder_Isos-Tech-Consulting_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
October 6, 2020

@Thomas Okta isn't an Atlassian product but it's a popular tool for SSO:

https://www.okta.com/products/single-sign-on/

Even with Okta you will still need a plugin like I mentioned above to connect Okta to Jira (and another plugin to connect confluence).

Thomas October 21, 2020

@Trevan Householder_Isos-Tech-Consulting_, thank you very much for the consultation.

Like Trevan Householder likes this

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events