Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

AD Integration with Jira, Stash and Bamboo

Eizo Nishime
Eizo Nishime February 27, 2013

I wanna use Microsoft AD for my users to authenticate in the Atlassian products.

What is the best way?

Option 1:
Jira -> AD
Stash -> AD
Bamboo -> AD

Can I centralize the access to AD?

Something like this, is it possible?

Option 2:
Jira -> AD
Stash -> Jira
Bamboo -> Jira


Answer
Watch
Like orjansjoholm likes this
1370 views

3 answers

1 accepted

2 votes
Answer accepted
Jens Schumacher2
Jens Schumacher [Atlassian]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 28, 2013

You should either let each system authenticate against AD directly or alternatively use Crowd in front of AD. JIRA should only be used for delegated user-management if you don't have an external directory server.

View More Comments
Adam Myatt2
Adam Myatt
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 28, 2013

I would second Jens recommendation to use Crowd. This will provide a 1-to-1 hit against your AD infrastructure (Crowd-to-AD). I'm assuming your AD is used for numerous things besides authenticating Stash, Jira, and Bamboo so you want to minimize the performance hit against it. The only thing I can think of that may hinder you is Stash-to-Crowd. I believe it is supported, but there has been a lot of discussion about Stash not supporting single sign on with Crowd. Not sure it has been resolved completely.

Like
Reply
1 vote
Kelly Schoenhofen
Kelly Schoenhofen
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 10, 2013

We went with your option 2, and it's been very successful for us.

Jira is our central access point for all of our Atlassian products; we setup a series of AD groups for user membership for each product (Jira, Fisheye, Stash, & Bamboo) and placed them all in the same OU/dn filter. Jira only picks up those groups; it uses the Jira groups for itself and the other Atlassian products use their groups for their user rights. Jira is set to syncronize with AD every 10 minutes, and each other product synchronizes with Jira every 10 minutes. It takes anywhere from 5-30 minutes for an AD change to filter down to a product beneath Jira, mainly due to domain controller replication. We only have one place (Jira) to maintain our AD settings, and we dramatically cut down on AD syncronization requests. We also have a single failure point (if Jira goes down for an extended period of time, for instance) but since Jira is so important to the organization, it is kept up to date and running 24/7. I realize Jira isn't a proper substitute for Crowd, but it has been handling authentication for ~500 users very nicely.

View More Comments
Elvar Bjarki Böðvarsson
Elvar Bjarki Böðvarsson July 2, 2014

Old post, but in the same situation. Confluence and JIRA now have a pretty good integration with AD but the rest of the Atlassian products not so much. After more than a year since your post, how has it been working for you authenticating the other products through Jira?

Like
Kelly Schoenhofen
Kelly Schoenhofen
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 2, 2014

It's funny you say that ;) in the last year we added Confluence to the mix, and Confluence also goes directly against AD. Everything else goes against Jira (which goes againt AD). The apps that use Jira (Bamboo/Stash/Fishible) have been rock solid with user authentication & management. There's a slight delay - Jira syncs with AD every 10 minutes and Bamboo/Stash/Fishible syncs with Jira every 10 minutes - so I tell users to wait "up to 30 minutes for changes to take effect" and that works OK. They would like faster results, but I just say replication isn't instant.

That said, in AD, only one person can be the manager of a group and if you're not a domain admin, you're the only one who can add/remove people. So the onus of user management falls on me, and with the plethora of applications & security groups we use to manage access (we're about a ~600 person organization), I would really like to delegate/simplify the user/access management. I would like to look into using Crowd, and see what benefits we get from that. I don't have time at the moment, but in 3-4 months I think I will be tackling a Crowd trial.

Like
Elvar Bjarki Böðvarsson
Elvar Bjarki Böðvarsson July 3, 2014

This is why you often have to turn to per user access grants in for example Jira. Let the project admins handle it.

Like
Reply
0 votes
Ellen Feaheny [
Ellen Feaheny [AppFusions]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 28, 2013

Our Kerberos AD SSO Authenticator allows your users to log into the AD domain and be automagically logged into the Atlassian app.

If you have our Crowd AD authenticator (before Crowd - 1st leg), you can have SSO with all the other apps integrated with Crowd (2nd leg), courtesy of Crowd.

Alternatively, we do pt to pt AD SSO with JIRA and Confluence, mostly.

But if you have 2 or more apps, the Crowd path more than pays for itself.

https://www.appfusions.com/display/KBRSCJ/Home

If you want customer references, no problem - have many on this solution.

==

As Adam has said, Stash is not yet in the mix - but we'd love to add it in. We have not yet gotten this request though, since Stash is so new (and also tech limitations - but Jens will help with that... ;)

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events