managing Confluence and Jira user authentication with active directory groups

Michele January 21, 2014

I have an installation with 100 Jira user licenses and 2000 Confluence user licenses. Right now, we are using the same AD group for authentication for both applications because we have not started widespread use of Confluence yet. (we are currently using 71 of the 100 Jira licenses)

I need to separate these groups out without losing the ability for some users to go back and forth between Jira and Confluence as the same user without re-authenticating. Is it as simple as creating a different AD group for the Confluence users? Will I have any issues with duplicate users if some members belong to both groups?

Thanks,

Michele

3 answers

1 vote
Fringe Technology January 22, 2014

Hi Michele,

I'm sure you will get a few different answers to this one...so here is one option. We had to do this about 2 years ago for the same reason. There were a couple things we did to get it to work with seamless 'back and forth' as you mention. The other reason we did it this way, was because of the requirements of the Security team for that organization - they wanted all permissions to be managed in the AD groups.

Also recommended, is that you spin up test instances and then configure and test whatever method you choose before rolling it out to your production instances. Be sure to test logging in as a member of each of the different groups below, and also as a JIRA 'internal' and Confluence 'internal' user' in your certifcation test.

1) Created the group structure in AD as below, then in the User Directory configuration, we enabled the Nested Groups option.

jira-users (members: sally, joe, tom, john)

jira-admins (members: susan, sam)

jira-sysadmins (michael)

wiki-users (members: sally, joe, tom, john, etc.)

wiki-admins (members: susan, sam)

wiki-sysadmins (michael)

2) map these groups to JIRA and Confluence (in Global Permissions)

3) added the context path of JIRA and WIKI to each instance. After doing this we had no issues going back and forth. For example:

http://yourhostname:8090/wiki/

http://yourhostname:8080/jira/

Here are the links to the context path documents.

https://confluence.atlassian.com/display/JIRAKB/How+to+change+the+JIRA+context+path

Another tip: we named the groups starting with WIKI in AD, becuase in the filter, we were picking up CONFerence rooms that were listed in AD. And the security team didn't want the filter and groups to be that long, so we changed it to something shorter and not starting with CONF.

Hope some of this helps.

0 votes
Michele January 23, 2014

Thanks, Shari! This is a huge help.

-Michele

0 votes
Fringe Technology January 22, 2014

Sorry forgot this other link:

https://confluence.atlassian.com/display/DOC/Configuring+the+Server+Base+URL

and, another step to make sure you update the BASE URL for each instance to include the new context path.

Suggest an answer

Log in or Sign up to answer