Crowd Network Based SSO

Ernest Kim August 5, 2013

I may be wrong, but the current Crowd based SSO uses replication to move user information around from the Crowd server to the client servers (JIRA, Confluence, Stash, etc.).

What would be ideal is for every authentication check in JIRA, Confluence, Stash, etc., instead of checking the local replicated copy of Crowd, the application makes a network call to the Crowd server to see if the username/password/group is valid. This way the applications don't work with stale data until the next replication update. This would be like how other applicaitons use LDAP/AD/NIS/etc. for authentication.

Do I have my SSO mis-configured? Is this possible? If not, can the powers that be make it so? Thanks.

-Ernie

3 answers

1 accepted

1 vote
Answer accepted
Boris Berenberg
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 5, 2013

Hi Ernie,

You are correct in terms of how Crowd works. While there is no way to do what you are currently asking for, you can adjust the sync interval per: https://confluence.atlassian.com/display/JIRA/Synchronising+Data+from+External+Directories#SynchronisingDatafromExternalDirectories-ConfiguringtheSynchronisationInterval You can also disable caching between Crowd and your LDAP server per the instructions at: https://confluence.atlassian.com/display/CROWD/Configuring+Caching+for+an+LDAP+Directory

Just FYI, if you were to accomplish this, I would guess that our applications would slow to a crawl. They are designed to work with local caches to accelerate lookups, and network lookups are optimized for bulk updates.

You can try filing a feature request for this at: https://jira.atlassian.com/browse/CWD

Cheers,
Boris

0 votes
Ernest Kim August 12, 2013

Thanks. I guess this is a little disappointing. I don't know how often authentication events take place, but I would imagine it's when ever the user has entered a login/password. I wouldn't have thought that this would take up a lot of bandwidth or impact performance greatly. LDAP and other directory systems are all network based.

I knew I could change the sync time down. I'll bring it down to 1 minute, but still having a 1 minute lag seems kind of silly in this day of instant updates.

Thanks.

-Ernie

0 votes
BernardoA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 5, 2013

According to my understanding your question is not related to SSO, but as Boris pointed out before, what you can try is to set the 'Synchronisation Interval' directly on the directory configuration screen.

You can create a feature request for this, but honestly I'm not sure if it'll be implemented.

Bernardo

Suggest an answer

Log in or Sign up to answer