At my company we have a custom Jira plugin based on Seraph. I'd like to use the same plugin or a variation of it, with Stash. Is that possible or can Seraph only be used with Jira or Confluence?
If the Seraph approach can't work with Stash is there any other options for a custom SSO plugin?
Stash does not use Seraph (it uses Spring Security instead), so you can't use the same plugin for Stash. I am currently working on a new plugin point for Stash to allow you to hook into Stash's authentication without having to modify any of core Stash. This will allow you to implement your SSO integration as a plugin.
I'd be interested in your requirements to ensure that the plugin point provides all the necessary hooks. Feel free to email me directly at mheemskerk [at] atlassian.com.
Thanks Michael, I'm planning to contact you to discuss the details of the plugin approach but wanted to talk to the person in my company that wrote our Jira plugin first and I haven't had a chance to do that yet.
In the mean time, I've been assuming I could use an SSO approach via Apache. For our internal Fisheye instance we use an Apache web-agent (OpenSSO) via the ajp13 bind setting. For Stash I don't see any reference to ajp13 in the admin interface. Does that mean the Apache web-agent opensso approach won't work either?
In our case we implemented a Stash authentication plugin that takes the REMOTE_USER (set by our SSO system) variable via AJP (JkEnv) and a request property. Is such a common scenario that I am a bit surprised that it is not provided out of the box by Stash.
We had to do the same for JIRA, Confluence and Bamboo with Seraph, but in this case is less convenient, because you can not do it as a plugin AFAIK and have to change the seraph config file.
We are in the process of setting up Stash in our SSO environment as well. I've written a SSO plugin for Jira as well and it integrated nicely with Jira and the Seraph configs. Were you able to do something similar with Stash? It sounds like you were able to send an authenticated user value of some sort to Stash to effect a login. It this the case?
Thanks for that Daniel,
I'll look into adding builtin support for container-provided authentication, which is what your SSO integration is doing.
@Evan, https://bitbucket.org/mheemskerk/stash-auth-plugin-example could be a starting point for your plugin, all you'd need to do is get the username from request.getRemoteUser() and use that to pre-authenticate.
On the topic of container-provided authentication: I am in an Active Directory environment. I developed a JSR-196 compliant module that runs in our glassfish container to do Kerberos SSO (with an ldap fallback and pre-emptive BASIC support) for our internally developed java apps. I currently use LDAP in our atlassian products. If Stash (or other atlassian apps) could support container-managed authentication, we could use our module to authenticate. I just thought I'd throw this use case out there in case you are considering something similar to this.
Thanks Michael, that would be a very welcome feature. Could you please post here the relevant JIRA issue when/if it gets created? Any chance of convincing the JIRA/Confluence guys to do the same ;-) ?
Evan, yes we managed to do it for Stash alright. Our code is very similar to the example linked by Michael but with the addition of:
- Automatic logout if the current cached user was authenticated from SSO and the SSO credential disappears.
- Skipping any further processing if the current user and the one in SSO are already the same
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
We're bringing product updates and pro tips on teamwork to ten cities around the world.Save your spot