Confluence Shibboleth Authenticator

If you need to integrate Confluence with Active Directory so it does SSO on any platform - we have it.

http://techtime.co.nz/x/AwCxAg

The NTLM Authenticator is delivered as a jar file and instructions how to deploy it to Atlassian Jira and/or Confluence to work in conjunction with IOPlex Jespa library to perform NLTM authentication in Windows environment.

The cost is one-off NZ$150 (plus fees for Jespa license payable to IOPlex).

TechTime NTLMv2/NTLMv1 authenticator supports Confluence 4.x as well as Jira 4.x. The authenticator works in Crowd environment as well as without Crowd.

We are always open to requests if some killer feature is missing.

Note: the project is moving since Jira Studio is going to be shutdown. The new link is: https://marketplace.atlassian.com/manage/plugins/shibauth.confluence.authentication.shibboleth or https://github.com/chauth/confluence_http_authenticator

Well a few comments -and lots of opinions.

One more for the pot!

If you believe Wikipedia (http://en.wikipedia.org/wiki/NTLM) that Microsoft doesn't even recommend NTLM anymore, and alot of cries from the field on NTLM pains.

... well that's all. Its your call.

This doc sorts out the different options at a more literal level, and it is OUR opinion that Kerberos is the right choice:

https://www.appfusions.com/display/KBRSCJ/NTLM+v1+or+v2+or+Kerberos

AppFusions has been deploying Kerberos authenticators with Confluence, JIRA, Crowd, and Fisheye with much success for a few months now. And happy to provide you with referrals to our customers.

We tried giving our Authenticator away in the beginning (and just provide support), but NO ONE could figure out the configs by themselves without endless free-only support questions to us, which was worse. We have a day job that pays us, and honestly this should too if we get you on your way happily, swiftly.

The questions were not b/c it was bad or didn't work; it was b/c a) its complicated, and b) there are many variables in the network with IIS, browser and OS deltas, forms, multiple AD directories, mobile users, etc...

So, now we offer a very reasonable "authenticator + service included deployment" and have had 100% success since.

Happy to help you - info@appfusions.com

Best,

Ellen

p.s.

imho: This is not an advertisement per se -

This area is just a serious pain pt, and customers can kill weeks trying to figure it out, or learn alongside us doing it for you; we share our knowledge with all customers in all our services, just as or team does on Answers.atlassian.com.

Timo,

In response to your "Press on Logout link always do a login again ... etc." issue, you can modify Confluence to use a different URL to logout that is not "guarded" by the authenticator. Ask that question separately as "how do I modify the logout URL in Confluence?" and search for related documentation. That has nothing to do with the Confluence Shibboleth Authenticator.

Shibboleth is an SSO solution that involves centralized IdP server(s) on different server(s) and a SP that runs on the server that is hosting the service to guard. If you aren't using Shibboleth for SSO, then all of the documentation in the Confluence Shibboleth Authenticator wiki will not make sense, and won't apply to you. If you were using Shibboleth, then you need to ask questions about its setup on the Shibboleth mailing list and look at its wiki, but it sounds like that wouldn't help.

To answer your last question, even though this won't help in getting you where you want to go, Shibboleth SP handles incoming requests first and assuming you authenticate via the Shibboleth IdP can pass off to Apache or Tomcat or whatever it is guarding. In our scenario, we have Shibboleth, then Apache, then Tomcat serving Confluence. But, Shibboleth could just as easily guard Tomcat directly if configured to do so. Again, if that were the concern, you'd ask on the Shibboleth mailing list and review their documentation.

But, your main question I think is "How do I setup an SSO such that Confluence can use Active Directory for authentication?" You should probably ask that question separately on answers.atlassian.com, but I think the answer would be the Confluence NTLM Authenticator, however you may need to vote here and add a comment to request to use WAFFLE to support NTLMv2/Kerberos (if that feature is not complete yet), or perhaps you could hire an Atlassian Partner or another senior Java developer to assist you in either adding this feature to this plugin, or forking the plugin and adding support for WAFFLE yourselves: https://studio.plugins.atlassian.com/browse/NTLM-48

However, if you were to need an authenticator that authenticates based on HTTP headers that pass in the username, email address, and display name, and that can use regexp matching and substitution on incoming HTTP headers to add users to groups, then the Confluence Shibboleth Authenticator can be used for that. Saying it is only for Shibboleth is actually wrong, at least up to this point in its development. Even Chad LaJoie that wrote the original version called it the remoteUserAuthenticator; Elliot Kendall added support for non-REMOTE_USER header for username, so now it should be called "HTTP Header Authenticator", I guess. :) I'm glad that you considered it in this case, however most of the documentation is related Shibboleth, and if you frame your questions in the context of "How do I get the Confluence Shibboleth Authenticator to work with Active Directory and not Shibboleth?" then most people will just ignore your question. Hope this helps.

Gary

Further question:

Is shibboleth only running with an IIS or Apache in front?