CROWD sso doesnt work across different directories

I have JIRA and Confluence. I want SSO among both. So I configured Crowd. I created 2 Directories in crowd

1. JIRA directory

--Getting some users and groups from AD

2.Confluence directory.

--Getting some users and groups from AD

 

I configured 2 Applications inside crowd

1.JIRA App--Uses JIRA directory

2.Confluence App--Uses Confluence directory

 

I configured crowd directory in both applications to fetch users and groups.

Authentication works fine for both.

The problem is SSO doesnt work even if the user names are same.

 

So I tried configuring only single directory for both applications in crowd.

This time SSO worked.

 

The only problem is if Im using same directory for both applications in crowd, both applications will fetch all groups and users

I mean inside JIRA application, confluence groups will also be visible and vice versa.

 

1 answer

1 accepted

This widget could not be displayed.
Ann Worley Atlassian Team Nov 29, 2017

Thank you for the clear and detailed description.

For the users needing to be in the same Directory in Crowd to work with SSO, this is expected behavior: Troubleshooting SSO with Crowd 

Inside of Crowd, ensure that each application is configured to use the same user directory. SSO will not work if you log in to Confluence through one user directory, but JIRA through a different user directory, even if the usernames are identical.

When configuring the applications in Crowd you can limit the logon to members of certain groups. Specifying which Groups can access an Application This does not prevent usernames and groups from appearing in the client application. However, for the most part only administrators will see the groups from the other applications so it doesn't impact most users.

 

Thanks Ann

Yes I can limit the logons to the specific users specifying which group can access application.

So does that means the Application Access permission configured at application level will not affect?

Another thing is cant we not restrict only JIRA specific groups in JIRA and Confluence specific groups in confluence by any other means?

 

Thanks again

Ann Worley Atlassian Team Nov 30, 2017

A user need the permission in Crowd to log into a particular application but they also need permissions in the application itself. For example, if you had a user in a group in Crowd that was designated for logging into Confluence they could get past the login screen in Confluence, but without the Can Use global permission in Confluence they would see a "not permitted" page instead of the dashboard.

When you synchronize a Crowd directory with an application, it picks up all the groups. We suggested a change to this behavior but it was closed as "won't fix" : jira fetches ALL groups from Crowd instead of just those in the crowd group definition for the application

Suggest an answer

Log in or Sign up to answer
Atlassian Summit 2018

Meet the community IRL

Atlassian Summit is an excellent opportunity for in-person support, training, and networking.

Learn more
Community showcase
Posted Aug 06, 2018 in Jira Service Desk

A is for Activate: Share your top Jira Service Desk onboarding tips for new users!

Hi, everyone! Molly here from the Jira Service Desk Product Marketing Team :).  In the spirit of this month's  august-challenge, we're sourcing stories of Jira Service Desk activation fro...

578 views 25 15
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you