Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Stash Single Sign-on Plugin

Dan Peterson2
Dan Peterson March 6, 2013

At my company we have a custom Jira plugin based on Seraph. I'd like to use the same plugin or a variation of it, with Stash. Is that possible or can Seraph only be used with Jira or Confluence?

If the Seraph approach can't work with Stash is there any other options for a custom SSO plugin?

Answer
Watch
Like Be the first to like this
1580 views

4 answers

0 votes
Daniel R
Daniel R
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 18, 2013

Stash now support Crowd SSO:

http://blogs.atlassian.com/2013/03/stash-23-crowd-single-sign-on-git-submodules/

View More Comments
Dharmendra Shel
Dharmendra Shelare February 16, 2014

Hi Daniel Varela Santoalla & Michael Heemskerk [Atlassian]

How to Implemet SSO with Apache and how to configure Apache request.

Like
Reply
0 votes
Daniel Varela Santoalla
Daniel Varela Santoalla March 13, 2013

Thanks Michael, that would be a very welcome feature. Could you please post here the relevant JIRA issue when/if it gets created? Any chance of convincing the JIRA/Confluence guys to do the same ;-) ?

Evan, yes we managed to do it for Stash alright. Our code is very similar to the example linked by Michael but with the addition of:

- Automatic logout if the current cached user was authenticated from SSO and the SSO credential disappears.

- Skipping any further processing if the current user and the one in SSO are already the same

Daniel

Reply
0 votes
Daniel Varela Santoalla
Daniel Varela Santoalla March 12, 2013

In our case we implemented a Stash authentication plugin that takes the REMOTE_USER (set by our SSO system) variable via AJP (JkEnv) and a request property. Is such a common scenario that I am a bit surprised that it is not provided out of the box by Stash.

We had to do the same for JIRA, Confluence and Bamboo with Seraph, but in this case is less convenient, because you can not do it as a plugin AFAIK and have to change the seraph config file.

View More Comments
Evan Moseman1
Evan Moseman March 13, 2013

Daniel,

We are in the process of setting up Stash in our SSO environment as well. I've written a SSO plugin for Jira as well and it integrated nicely with Jira and the Seraph configs. Were you able to do something similar with Stash? It sounds like you were able to send an authenticated user value of some sort to Stash to effect a login. It this the case?

Thanks!

Like
Michael Heemskerk
Michael Heemskerk
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 13, 2013

Thanks for that Daniel,

I'll look into adding builtin support for container-provided authentication, which is what your SSO integration is doing.

@Evan, https://bitbucket.org/mheemskerk/stash-auth-plugin-example could be a starting point for your plugin, all you'd need to do is get the username from request.getRemoteUser() and use that to pre-authenticate.

Michael

Like
John Burns4
John Burns
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 18, 2013

On the topic of container-provided authentication: I am in an Active Directory environment. I developed a JSR-196 compliant module that runs in our glassfish container to do Kerberos SSO (with an ldap fallback and pre-emptive BASIC support) for our internally developed java apps. I currently use LDAP in our atlassian products. If Stash (or other atlassian apps) could support container-managed authentication, we could use our module to authenticate. I just thought I'd throw this use case out there in case you are considering something similar to this.

Like
Michael Heemskerk
Michael Heemskerk
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 19, 2013

I've created https://jira.atlassian.com/browse/STASH-3239 to track adding support for container-managed authentication to Stash.

Like
Reply
0 votes
Michael Heemskerk
Michael Heemskerk
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 6, 2013

Hi Dan,

Stash does not use Seraph (it uses Spring Security instead), so you can't use the same plugin for Stash. I am currently working on a new plugin point for Stash to allow you to hook into Stash's authentication without having to modify any of core Stash. This will allow you to implement your SSO integration as a plugin.

I'd be interested in your requirements to ensure that the plugin point provides all the necessary hooks. Feel free to email me directly at mheemskerk [at] atlassian.com.

Cheers,

Michael

View More Comments
Dan Peterson2
Dan Peterson March 11, 2013

Thanks Michael, I'm planning to contact you to discuss the details of the plugin approach but wanted to talk to the person in my company that wrote our Jira plugin first and I haven't had a chance to do that yet.

In the mean time, I've been assuming I could use an SSO approach via Apache. For our internal Fisheye instance we use an Apache web-agent (OpenSSO) via the ajp13 bind setting. For Stash I don't see any reference to ajp13 in the admin interface. Does that mean the Apache web-agent opensso approach won't work either?

Like
Reply

Suggest an answer

Log in or Sign up to answer
Product apps
Apps & Integrations
TAGS
AUG Leaders

Atlassian Community Events

    See all events