Currently, we have a stash application configured with LDAP authentication. We wanted to integrate our stash application with inter SSO service. Please advise
Community moderators have prevented the ability to post new answers.
Hi Kashif,
Stash has plugin points that allow you to provide a custom plugin that participates in the authentication process. We bundle an SSO plugin for Crowd SSO that you can use if you're using Crowd for your SSO. It sounds like you're using a different SSO system, in which case you'll have to provide a custom plugin.
You can find documentation here: https://developer.atlassian.com/stash/docs/latest/reference/plugin-module-types/http-authentication-handler.html
Or have a look at an example implementation: https://bitbucket.org/mheemskerk/stash-auth-plugin-example/src. This example provides an authentication handler for container based authentication. If your SSO system provides integration for Tomcat, you could set that up and use the example plugin to have Stash accept the authenticated user provided by Tomcat.
Cheers,
Michael
Thanks Michael, I have seen the code, it make sense to me. One thing is not clear about calling this handler. For example, user hits my Stash application, SSO will intercept (if no session ), and after successful user authentication, it will redirect to my custom page, which will store user into Container, so how to invoke this handler, Please correct me if my understanding is wrong, Thanks
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
It all depends on how your SSO solution works. If your SSO solution provides integration with Tomcat, you'll have to follow its installation instructions, which will most likely involve adding a <Valve ..> element to your server.xml. The valve then performs authentication when required and sets the remoteUser on the HttpServletRequest, which the example plugin then uses to authenticate the user in Stash. If your SSO solution does not provide Tomcat integration, you'll have to write your own solution and you can use the example plugin as a starting point. However, instead of looking at the remoteUser on the request, you'd probably: * check the request for a token that has been set by your SSO server (typically a request header or a cookie) * send a request to the SSO server to validate the token and retrieve the username * look up the user in Stash by username and return that as the authenticated user. To redirect the user to your SSO's login screen, you should also provide a HttpAuthenticationFailureHandler and redirect in the onAuthenticationFailure method. Jozef has kindly provided a link below to his Jasig CAS SSO plugin that does exactly that.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
hi Michael, I am redirecting to SSO login page on failure, but when i hit my app URL its shows Stash default login page, if i enter wrong password then it takes me to SSO login page, but does not show first time, Please advise, thanks
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Kashif,
Take a look at the Umbrella SSO by Adaptavist which provides a Single Sign-On for all Atlassian server applications, including Stash, and integrates with your existing infrastructure i.e. covers Kerberos, SAML and more. Get in touch with our team for more details via the contact form or contact me directly
Thanks,
Monika
Product Manager at Adaptavist
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Kashif:
AppFusion's SSO Authenticator for AD/LDAP and Atlassian Servers (via Kerberos) solution now supports Stash too. info@appfusions.com if interested.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
As MIchael wrote, Stash is extensible for custom authentication - I have implemented integration with Jasig CAS SSO. Sources are available at BitBucket.
I would recommend to let the decision (whether to authenticate) on Stash and only if needed redirect to SSO.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi, I have trying your plugin with stash 3.5.0, i am not able to locate stash-config.properties. is it available in 3.5.0, Please advise, thanks
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
It should be in STASH_HOME/shared/stash-config.properties. However, if you're using the in-memory database, that file may not exist and you can create it.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Community moderators have prevented the ability to post new answers.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.