Non-Interactive Single Sign On (SSO) Solution - Help Needed!

Eric C November 20, 2014

Products: Crowd 2.6.4, JIRA 6.2.1, Confluence 5.2.5, Stash 2.11.6, Bamboo - 5.1.1

 

Hello,

My team is in the process of implementing a custom authentication and authorization solution using PKi for authentication and a custom authorization service for authorization. Currently, we use Crowd as the LDAP for users to log into our other Atlassian applications and determine a user's level of access based on the assigned groups. Here is our entire drafted process:

  1. End user access the application
  2. Application determines if user has passed a valid PKI certificate; if so, extract the common name (cn) from the certificate details. From there, confirm is cn matches a user within the user directory of the application
  3. Perform authorization of end user by checking applicable roles and permissions within external custom authorization service
  4. Pass along authentication/authorization info to Crowd using the HttpServletRequest object
  5. Allow end user access to the application based on above authentication and authorization rules

What we would like to do is implement a non-interactive single sign-on system for our product suite where users can access each application without having to enter in their login credentials to each application. What we have discovered in that for each application, we would need to create a separate authentication provider since the way the each Atlassian product stores the user principal in the session is different.

Is that any documentation or sample coding out there that allows for non-interactive single sign on? Any input is appreciated.

2 answers

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

1 vote
Justin Justin November 23, 2014

Eric - you are correct that unique authenticators are needed for each app for those SSO legs. (Crowd authenticator is not required - except if want SSO for the Crowd admns). For the rest, AppFusions' Kerberos SSO Authenticators for LDAP and Atlassian servers are packaged solutions for your need.

http://www.appfusions.com/display/KBRSCJ/Home 

If you have questions, email info@appfusions.com - but at a minimum, here's some questions with regards to your environment: 

http://www.appfusions.com/display/KBRSCJ/AD+SSO+to+Atlassian+Products+-+Network+Pre-Qualifier+Questionnaire 

0 votes
Eric C November 24, 2014

Justin,

Thanks for the link. It seems like the AppFusions site you will need to purchase their solution. If all possible, we are looking for something that is Open Source. Is there another solution out there by chance?

Justin Justin November 25, 2014

Not that I know of. AppFusions tried to do the open source thing initially, but it was not very successful. They talk abt it here - http://www.appfusions.com/display/KBRSCJ/FAQ There are other SSO solutions out there which are very very pricey (you will find in your research). It's a tricky problem. And once done, it's done. Not really a repeatable expertise in most people's jobs.

TAGS
AUG Leaders

Atlassian Community Events