CROWD sso doesnt work across different directories

I have JIRA and Confluence. I want SSO among both. So I configured Crowd. I created 2 Directories in crowd

1. JIRA directory

--Getting some users and groups from AD

2.Confluence directory.

--Getting some users and groups from AD

 

I configured 2 Applications inside crowd

1.JIRA App--Uses JIRA directory

2.Confluence App--Uses Confluence directory

 

I configured crowd directory in both applications to fetch users and groups.

Authentication works fine for both.

The problem is SSO doesnt work even if the user names are same.

 

So I tried configuring only single directory for both applications in crowd.

This time SSO worked.

 

The only problem is if Im using same directory for both applications in crowd, both applications will fetch all groups and users

I mean inside JIRA application, confluence groups will also be visible and vice versa.

 

1 answer

1 accepted

0 vote
Ann Worley Atlassian Team Nov 29, 2017

Thank you for the clear and detailed description.

For the users needing to be in the same Directory in Crowd to work with SSO, this is expected behavior: Troubleshooting SSO with Crowd 

Inside of Crowd, ensure that each application is configured to use the same user directory. SSO will not work if you log in to Confluence through one user directory, but JIRA through a different user directory, even if the usernames are identical.

When configuring the applications in Crowd you can limit the logon to members of certain groups. Specifying which Groups can access an Application This does not prevent usernames and groups from appearing in the client application. However, for the most part only administrators will see the groups from the other applications so it doesn't impact most users.

 

Thanks Ann

Yes I can limit the logons to the specific users specifying which group can access application.

So does that means the Application Access permission configured at application level will not affect?

Another thing is cant we not restrict only JIRA specific groups in JIRA and Confluence specific groups in confluence by any other means?

 

Thanks again

Ann Worley Atlassian Team Nov 30, 2017

A user need the permission in Crowd to log into a particular application but they also need permissions in the application itself. For example, if you had a user in a group in Crowd that was designated for logging into Confluence they could get past the login screen in Confluence, but without the Can Use global permission in Confluence they would see a "not permitted" page instead of the dashboard.

When you synchronize a Crowd directory with an application, it picks up all the groups. We suggested a change to this behavior but it was closed as "won't fix" : jira fetches ALL groups from Crowd instead of just those in the crowd group definition for the application

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published Monday in Jira Software

How large do you think Jira Software can grow?

Hi Atlassian Community! My name is Shana, and I’m on the Jira Software team. One of the many reasons this Community exists is to connect you to others on similar product journeys or with comparabl...

629 views 6 12
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you