AD Integration with Jira, Stash and Bamboo

I wanna use Microsoft AD for my users to authenticate in the Atlassian products.

What is the best way?

Option 1:
Jira -> AD
Stash -> AD
Bamboo -> AD

Can I centralize the access to AD?

Something like this, is it possible?

Option 2:
Jira -> AD
Stash -> Jira
Bamboo -> Jira

3 answers

1 accepted

You should either let each system authenticate against AD directly or alternatively use Crowd in front of AD. JIRA should only be used for delegated user-management if you don't have an external directory server.

I would second Jens recommendation to use Crowd. This will provide a 1-to-1 hit against your AD infrastructure (Crowd-to-AD). I'm assuming your AD is used for numerous things besides authenticating Stash, Jira, and Bamboo so you want to minimize the performance hit against it. The only thing I can think of that may hinder you is Stash-to-Crowd. I believe it is supported, but there has been a lot of discussion about Stash not supporting single sign on with Crowd. Not sure it has been resolved completely.

We went with your option 2, and it's been very successful for us.

Jira is our central access point for all of our Atlassian products; we setup a series of AD groups for user membership for each product (Jira, Fisheye, Stash, & Bamboo) and placed them all in the same OU/dn filter. Jira only picks up those groups; it uses the Jira groups for itself and the other Atlassian products use their groups for their user rights. Jira is set to syncronize with AD every 10 minutes, and each other product synchronizes with Jira every 10 minutes. It takes anywhere from 5-30 minutes for an AD change to filter down to a product beneath Jira, mainly due to domain controller replication. We only have one place (Jira) to maintain our AD settings, and we dramatically cut down on AD syncronization requests. We also have a single failure point (if Jira goes down for an extended period of time, for instance) but since Jira is so important to the organization, it is kept up to date and running 24/7. I realize Jira isn't a proper substitute for Crowd, but it has been handling authentication for ~500 users very nicely.

Old post, but in the same situation. Confluence and JIRA now have a pretty good integration with AD but the rest of the Atlassian products not so much. After more than a year since your post, how has it been working for you authenticating the other products through Jira?

It's funny you say that ;) in the last year we added Confluence to the mix, and Confluence also goes directly against AD. Everything else goes against Jira (which goes againt AD). The apps that use Jira (Bamboo/Stash/Fishible) have been rock solid with user authentication & management. There's a slight delay - Jira syncs with AD every 10 minutes and Bamboo/Stash/Fishible syncs with Jira every 10 minutes - so I tell users to wait "up to 30 minutes for changes to take effect" and that works OK. They would like faster results, but I just say replication isn't instant.

That said, in AD, only one person can be the manager of a group and if you're not a domain admin, you're the only one who can add/remove people. So the onus of user management falls on me, and with the plethora of applications & security groups we use to manage access (we're about a ~600 person organization), I would really like to delegate/simplify the user/access management. I would like to look into using Crowd, and see what benefits we get from that. I don't have time at the moment, but in 3-4 months I think I will be tackling a Crowd trial.

This is why you often have to turn to per user access grants in for example Jira. Let the project admins handle it.

Our Kerberos AD SSO Authenticator allows your users to log into the AD domain and be automagically logged into the Atlassian app.

If you have our Crowd AD authenticator (before Crowd - 1st leg), you can have SSO with all the other apps integrated with Crowd (2nd leg), courtesy of Crowd.

Alternatively, we do pt to pt AD SSO with JIRA and Confluence, mostly.

But if you have 2 or more apps, the Crowd path more than pays for itself.

If you want customer references, no problem - have many on this solution.


As Adam has said, Stash is not yet in the mix - but we'd love to add it in. We have not yet gotten this request though, since Stash is so new (and also tech limitations - but Jens will help with that... ;)

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Jan 08, 2019 in Jira

How to Jira for designers

I’m a designer on the Jira team. For a long time, I’ve fielded questions from other designers about how they should be using Jira Software with their design team. I’ve also heard feedback from other ...

1,096 views 4 9
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you