Best configuration for using Crowd for internal and external applications

Does anybody have any advice on what is the best way to configure Crowd so that it can be used by internal applications as well as custom external applications?

Here is our current configuration

  • Confluence and JIRA are currently installed on the same (Windows) server and running behind an Apache HTTP Server using mod_proxy and SSL. i.e.
  • Crowd is installed on a second server, and configured to work with an SSL certificate using a custom port. However, Crowd is not currently running behind an Apache HTTP Server. i.e.
  • The user directories in Confluence and JIRA are configured to use Crowd via the external URL
  • The external firewall currently only allow traffic to access the Crowd server/url from the server running Confluence and JIRA.

Firstly, is this configuration correct or are there any recommendations to improve it.

Secondly, we would now like to use Crowd as a centralised user management server for externally hosted applications and potentially Google Apps.

Aside from the custom development required to allow the externally hosted applications to "talk" to Crowd via the Crowd REST API, what is the best approach to exposing Crowd externally?

It seems that it simply a case of creating additional applications in Crowd for each externally host application and permitting access to the Crowd server/url from those locations.

Should I also consider removing the 'crowd' Context from the Application URL?

Are there any other configurations that should be considered to improve security or apply best practise?

Sorry for all the questions, and thanks in advance for all help and comments

Ian

1 answer

Firstly, is this configuration correct or are there any recommendations to improve it.

That sounds fine to me.

Secondly, we would now like to use Crowd as a centralised user management server for externally hosted applications and potentially Google Apps.

Aside from the custom development required to allow the externally hosted applications to "talk" to Crowd via the Crowd REST API, what is the best approach to exposing Crowd externally?

It seems that it simply a case of creating additional applications in Crowd for each externally host application and permitting access to the Crowd server/url from those locations.

We do our best to make Crowd safe to be exposed to the greater internet, but yes, since you already have a firewall set up to restrict access to it, you might as well continue to use to open up exceptions on a case by case basis.

As you mentioned, you will want to set up individual applications in Crowd for each externally hosted application so that applications don't have to their login credentials. It's probably also worth pointing out that Crowd's security model is "applications with valid credentials are trusted to not be malicious".

In other words, Crowd enforces the configured separation between applications (e.g. an application mapped to use one directory won't be able to use another directory mapped to a different application if that second directory isn't also mapped to the first application, as you'd expect), but poorly written or malicious applications can have a performance impact on each other. E.g. an application mapped to an LDAP directory can have a performance impact on another application mapped to a different LDAP directory by making excessive "authenticate this user" requests to Crowd (or a reasonable amount of requests when the LDAP directory is taking a long time to respond) because applications share a limited pool of LDAP connection threads and each user authentication requires an LDAP connection (the LDAP connections pool size is configurable in the Crowd admin settings, but hopefully this example serves to illustrate how an application could interfere with another).

Should I also consider removing the 'crowd' Context from the Application URL?

That's up to you. Since your users may interact with Crowd, it might make things easier for them if you can tell them "go to crowd.example.com" (if you were to also modify the port to 80) rather than "go to crowd.example.com:8443/crowd", but it shouldn't affect the functionality. (If you do change this, remember to also change the config in each app using Crowd!).

Are there any other configurations that should be considered to improve security or apply best practise?

Not off the top of my head, but I'm a developer on Crowd, and not a deployment expert :) You might want to engage a Crowd expert to review your particular setup; experts also regularly answer questions here, so you might get some more specific advice from them if you're lucky!

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published Sunday in Agility

You asked for it, so we delivered: images on issues have arrived

A picture tells a thousand words. And agility boards have just released their latest feature: cover images on issues – so now your board can tell a story at first glance. Upload attachmen...

794 views 3 11
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you