Stash Single Sign-on Plugin

At my company we have a custom Jira plugin based on Seraph. I'd like to use the same plugin or a variation of it, with Stash. Is that possible or can Seraph only be used with Jira or Confluence?

If the Seraph approach can't work with Stash is there any other options for a custom SSO plugin?

4 answers

0 vote

Hi Dan,

Stash does not use Seraph (it uses Spring Security instead), so you can't use the same plugin for Stash. I am currently working on a new plugin point for Stash to allow you to hook into Stash's authentication without having to modify any of core Stash. This will allow you to implement your SSO integration as a plugin.

I'd be interested in your requirements to ensure that the plugin point provides all the necessary hooks. Feel free to email me directly at mheemskerk [at] atlassian.com.

Cheers,

Michael

Thanks Michael, I'm planning to contact you to discuss the details of the plugin approach but wanted to talk to the person in my company that wrote our Jira plugin first and I haven't had a chance to do that yet.

In the mean time, I've been assuming I could use an SSO approach via Apache. For our internal Fisheye instance we use an Apache web-agent (OpenSSO) via the ajp13 bind setting. For Stash I don't see any reference to ajp13 in the admin interface. Does that mean the Apache web-agent opensso approach won't work either?

In our case we implemented a Stash authentication plugin that takes the REMOTE_USER (set by our SSO system) variable via AJP (JkEnv) and a request property. Is such a common scenario that I am a bit surprised that it is not provided out of the box by Stash.

We had to do the same for JIRA, Confluence and Bamboo with Seraph, but in this case is less convenient, because you can not do it as a plugin AFAIK and have to change the seraph config file.

Daniel,

We are in the process of setting up Stash in our SSO environment as well. I've written a SSO plugin for Jira as well and it integrated nicely with Jira and the Seraph configs. Were you able to do something similar with Stash? It sounds like you were able to send an authenticated user value of some sort to Stash to effect a login. It this the case?

Thanks!

Thanks for that Daniel,

I'll look into adding builtin support for container-provided authentication, which is what your SSO integration is doing.

@Evan, https://bitbucket.org/mheemskerk/stash-auth-plugin-example could be a starting point for your plugin, all you'd need to do is get the username from request.getRemoteUser() and use that to pre-authenticate.

Michael

On the topic of container-provided authentication: I am in an Active Directory environment. I developed a JSR-196 compliant module that runs in our glassfish container to do Kerberos SSO (with an ldap fallback and pre-emptive BASIC support) for our internally developed java apps. I currently use LDAP in our atlassian products. If Stash (or other atlassian apps) could support container-managed authentication, we could use our module to authenticate. I just thought I'd throw this use case out there in case you are considering something similar to this.

I've created https://jira.atlassian.com/browse/STASH-3239 to track adding support for container-managed authentication to Stash.

Thanks Michael, that would be a very welcome feature. Could you please post here the relevant JIRA issue when/if it gets created? Any chance of convincing the JIRA/Confluence guys to do the same ;-) ?

Evan, yes we managed to do it for Stash alright. Our code is very similar to the example linked by Michael but with the addition of:

- Automatic logout if the current cached user was authenticated from SSO and the SSO credential disappears.

- Skipping any further processing if the current user and the one in SSO are already the same

Daniel

Hi Daniel Varela Santoalla & Michael Heemskerk [Atlassian]

How to Implemet SSO with Apache and how to configure Apache request.

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published Thursday in Marketplace Apps

Tips on how to choose the best estimation method for your planning

Planning and grooming sessions all come with their own sets of rules. Team members meet to estimate stories or other work items, all according to an agreed-upon process. And with every session comes ...

77 views 0 11
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you