SAML or other federation technology?

SG February 12, 2013

Eight months ago, @kjg asked a question about SAML support. The answer, preplexingly, read:

'It is an often requested feature that we are not going to include in our product line. [Here |https://jira.atlassian.com/browse/CWD-1822] is the feature request page where developers have commented on the issue. You can see that it has been resolved as "Won't Fix."'

Puzzled why you would reject an 'often requested feature' I tried the link to find the page has been deleted. Does this mean you've changed your mind and will be supporting SAML in the future?

I work in the team charged with protecting our identity systems. We've had various proposals for linking cloud apps to our AD infrastructure and rejected them all. Federation is our preferred (in fact, our only) mechanism. We currently use ADFS 2.0. We're prepared to look at other federation technology but no cloud app is getting it's claws into our AD and we're not setting up and maintaining another directory with 10s of 000s of users because the costs are prohibitive. If you don't do SAML, what other options are there?

9 answers

1 accepted

5 votes
Answer accepted
MartaD October 1, 2013

I'm also with the group on this one. I've just been charged with finding a SAML solution for JIRA, and also don't want to go with a third party. I'm not sure anything third party would even be approved by our security department, because we're a bank and security is everything here. It would be the best solution if Atlassian handled it since JIRA is their application and it's already approved here at our company.

3 votes
SG February 12, 2013

Thanks for sorting out the link. But it doesn't answer my questions.

To repeat:

  • why aren't you supporting SAML? (Maybe there's something I've missed about its use in such situations?)
  • what do you think enterprises with thousands of users should use, (other than getting a third party to do the SAML integration)?

I'm never a fan 3rd parties because when something doesn't work, they'll blame you and you'll blame them and we'll be stuck with something that doesn't work. And our users will blame us.

Dave
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 12, 2013

To partially address the first question, we are supporting SAML for Google Apps integration. Anything beyond that we are not currently supporting.

In regards to both questions, we provide for this by having the option to download the product and host it locally (or with another vendor); in this situation you have access to the source code and can also implement any authentication you would like; which is generally the way the product would be used by enterprises with thousands of users.

For the OnDemand product, implementing any additional SAML functionality is not a priority at this moment (you can see from the issue link that it only has 7 votes), and more work needs to be done with integrating the authentication before this could be considered.

SG February 12, 2013

Thanks for the reply. It's not my department but I'm under the impression that the Google route is rather expensive.

I guess enterprises did host locally in the past - we certainly did. And before that, we wrote everything ourselves, on the mainframe. But now our business divisions want quick and dirty (at least, that's what they say they want - I suspect the reality will be different but they'll have to face that reality before they know it, I guess). And they've had the world and its dog telling them cloud is the answer. "With cloud there's no maintenance", etc. Four out of the last five projects I've been involved with have started by looking at the cloud.

Actually, I don't see a difference between cloud and local: I'd still want to do AuthN and AuthZ with SAML but I don't expect to have to write my own. My users want single-sign-on. There's no easy way to do that, unless everything is hosted on Windows (and it isn't). And SAML is the best we've go there, too.

Perhaps it only has 7 votes because you can't vote on a resolved issue? If you hadn't pointed it out, I wouldn't have thought to look because I don't use this platform and I'm not familiar with that approach.

SG February 17, 2013

You didn't really even partially address the first question because I asked why. If you've decided not to support a standard protocol, you must have had a reason.

2 votes
Morgan August 19, 2013

I'm wiht @SSG on his complaints about lack of formal SAML support. I'll likely skip Atlassian products until a realistic federation solution is possible. SSO is more than just sharing users, it's an experience that allows managing of a users session across multiple applications and thus increases usability.

Maybe sometime this will become a priority? I too do not wish to enjoy the burden of a third party support for this.

0 votes
Nate Bingham December 15, 2015

Another user here needing ADFS integration for a server we will be hosting ourselves.  Security requires we use ADFS so they have final say over authentication.

The issue CWD-1822 is referenced several times in this thread but none of the links work nor can I find it via searching.  Did the issue get removed because Atlassian is considering adding this feature?  Any comments from Atlassian?

0 votes
Ron Chan
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 15, 2015

We're also in need of cloud integration with ADFS...any updates Atlassian?

0 votes
Ben de Laat March 23, 2015

Also Looking for a way to connect trough ADFS, does anybody have had any luck? 

 

0 votes
Andrew Braae October 16, 2014

Annoying there is no SAML support. We can plug most of our platforms (even Google apps) onto our SAML identity provider and its frustrating that one vendor stops us from really making strides with our security.

It feels like old fashioned lock-in thinking by Atlassian, but in the modern world, identity is really the property of the enterprise, which is what SAML is all about, not any one vendor. I imagine as the years roll by that Atlassian will eventually be forced to wake up, and will then look around and see that they have lost market share to vendors who do allow enterprises to manage their own identities.

0 votes
Evan Hoffman July 15, 2014

+1 for SAML support for Atlassian OnDemand. Are you not doing it because you sell a competing product (Crowd)?

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
July 15, 2014

See https://jira.atlassian.com/browse/CWD-1822for Atlassian's stance.

You'll note that that is a Crowd issue - the point here is that there's never going to be any direct SAML (or in fact any other) support for direct logins, it will all go via Crowd. So you wouldn't make bits of OnDemand SAML enabled, you'd keep it simple and just enable it for Crowd.

I don't believe Atlassian are going to enable the SAML plugin for Crowd in OnDemand for the foreseeable future.

Evan Hoffman July 15, 2014

Thanks Nic. Personally I don't care how it's achieved, or at what layer, but I've been looking into enterprise SSO solutions recently and they all rely on SAML. If they had OAuth with Google Apps would even be preferable to our current scenario where users have different credentials for everything.

0 votes
Dave
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 12, 2013

Hello,

The issue with that URL seems to be the brackets; the ticket still exists at -

https://jira.atlassian.com/browse/CWD-1822

You can see on that the comment that explains our usage and provides info on plugins for SAML if you use the download version of the products:

SAML support in Crowd is limited to the use case of connecting to Google Apps and we will continue to support this feature.

We do not plan on implementing full SAML support in Crowd or JIRA in the foreseeable future.

If SAML support is critical to your deployment, you could consider engaging one of our partners to build upon the existing SAML functionality. The SAML support in Crowd has been implemented as a plugin and it's possible for you to download the source code if you have a license.

Thanks,

-dave

Sergey Svishchev
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 15, 2014

Could you, or someone else from Atlassian, answer *why* full SAML support is not a priority?

A May 7, 2014

adding another voice to the "why?" group

Suggest an answer

Log in or Sign up to answer