I just took over administration for several Atlassian applications at my new job and one I am not familiar with is Crowd. I'm not sure why it was installed but all I can tell is it is not currently configured correctly. All our applications are on very old versions so I am currently upgrading them all.
Anyway our requirement is to connect applications to AD, have groups in AD like "jira-users", "confluence-users", etc and in AD add users to those groups and them have them be given access to those respective applications automatically without any intervention in the application themselves.
It this possible? What would be the best setup? Should we keep Crowd? I do understand that SSO will be possible with Crowd and we would like to have SSO. There are also many users who are currently in Jira's internal director and in Crowd. Is there a way to migrate/merge these users (some may be the same user).
That's a very interesting question, which would need a very long debate!
SSO from desktop might be handled with plugins linked to Crowd, as you already own it. I would definitely recommend to get a single source of users (Crowd obviously) which can be connected to active directory easily. Groups can be imported as well and reused to give application access or permissions (like replacing the default jira-users or so).
As per the user directory migration, starting from Jira 7 there's been a lot of improvements, There's a well documented KB available here: https://confluence.atlassian.com/crowd/importing-users-from-atlassian-jira-30736459.html
You might want to go step by step. The first, in my opinion, would be to bring back all your directories into crowd after upgrade. Once done you might want to sync AD and finally bring SSO in.
That's just a quick and incomplete reply but I hope it will help you through the way!
Thanks for the response! :)
I don't mean SSO from the desktop I just mean SSO between applications i.e. if I sign into Jira I am also signed into Confluence, etc.
Also do you know if either directly from Jira to AD or via Crowd I have the ability to not need to intervene through Jira/Crowd to add a user? E.g. I just add the user in the jira-users group in AD and they then have access to Jira automatically without needing to create/activate them by an admin in Jira/Crowd?
Understood, SSO between applications is pretty easy whenever you use a shared directory (e.g. Jira's directory in Confluence) :)
If you connect to your AD or use Crowd (or even use Crowd to connect to your AD!), users are automatically in sync (based on a query to filter subset of users if needed). it means that your newly added or disabled users will automatically be synced in your applications. If you share groups, you can even inherits permissions (give permissions to an AD group in a Jira project and then add users in AD will trigger those users to be created in Jira and granted access).
It's definitely a must about identity management! If you want to take it a step further you can even use plugins to bring some AD properties in Jira (e.g. a manager name added automatically to a request made by a user etc...).
Good luck with your integration! there is plenty of documentation about this and community + internet offer a large variety of examples on many systems!
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG