Provide AD Group Users Access to Applications

MangoHabanero January 8, 2018

Hello, 

 

I just took over administration for several Atlassian applications at my new job and one I am not familiar with is Crowd. I'm not sure why it was installed but all I can tell is it is not currently configured correctly. All our applications are on very old versions so I am currently upgrading them all. 

 

Anyway our requirement is to connect applications to AD, have groups in AD like "jira-users", "confluence-users", etc and in AD add users to those groups and them have them be given access to those respective applications automatically without any intervention in the application themselves.

 

It this possible? What would be the best setup? Should we keep Crowd? I do understand that SSO will be possible with Crowd and we would like to have SSO. There are also many users who are currently in Jira's internal director and in Crowd. Is there a way to migrate/merge these users (some may be the same user). 

 

Thanks

1 answer

0 votes
miikhy
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 8, 2018

Hi,

That's a very interesting question, which would need a very long debate!

SSO from desktop might be handled with plugins linked to Crowd, as you already own it. I would definitely recommend to get a single source of users (Crowd obviously) which can be connected to active directory easily. Groups can be imported as well and reused to give application access or permissions (like replacing the default jira-users or so).

As per the user directory migration, starting from Jira 7 there's been a lot of improvements, There's a well documented KB available here: https://confluence.atlassian.com/crowd/importing-users-from-atlassian-jira-30736459.html

You might want to go step by step. The first, in my opinion, would be to bring back all your directories into crowd after upgrade. Once done you might want to sync AD and finally bring SSO in.

That's just a quick and incomplete reply but I hope it will help you through the way!

Cheers

MangoHabanero January 8, 2018

Thanks for the response! :) 

 

I don't mean SSO from the desktop I just mean SSO between applications i.e. if I sign into Jira I am also signed into Confluence, etc. 

 

Also do you know if either directly from Jira to AD or via Crowd I have the ability to not need to intervene through Jira/Crowd to add a user? E.g. I just add the user in the jira-users group in AD and they then have access to Jira automatically without needing to create/activate them by an admin in Jira/Crowd?

miikhy
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 8, 2018

Understood, SSO between applications is pretty easy whenever you use a shared directory (e.g. Jira's directory in Confluence) :)

If you connect to your AD or use Crowd (or even use Crowd to connect to your AD!), users are automatically in sync (based on a query to filter subset of users if needed). it means that your newly added or disabled users will automatically be synced in your applications. If you share groups, you can even inherits permissions (give permissions to an AD group in a Jira project and then add users in AD will trigger those users to be created in Jira and granted access).

It's definitely a must about identity management! If you want to take it a step further you can even use plugins to bring some AD properties in Jira (e.g. a manager name added automatically to a request made by a user etc...).

Good luck with your integration! there is plenty of documentation about this and community + internet offer a large variety of examples on many systems!

Cheers

Suggest an answer

Log in or Sign up to answer