SSO Authenticator for AD/ADFS/LDAP and Atlassian Servers (via Kerberos)
Single sign-on authenticator for Active Directory/Active Directory Federation Service/LDAP, including full support for Confluence, JIRA, Bitbucket Server (formerly Stash), Crowd, Bamboo, FishEye, Crucible, SVN
Atlassian applications (Confluence, JIRA, Crowd, FishEye, etc..) have no out-of-the-box support for single sign-on in an Active Directory environment.
What does it do?
Enables your Active Directory provisioned users to log into their desktops and automatically be authenticated into Atlassian Confluence, JIRA or any other Atlassian product.
How do we do it, generally?
There are three major components with AppFusions' Kerberos SSO Authenticator for Atlassian applications.
- The AD Domain Controller and Key Distribution Center (KDC) which is responsible for distributing Kerberos tickets within the intranet that client workstations and servers are part of.
- The AppFusions Kerberos authentication filter will then process all incoming request and handle Kerberos protocol, including negotiation and validation of the Kerberos ticket. Once the ticket is obtained and verified, the request will be passed onto ...
- The AppFusions Seraph authenticator, which will authenticate and log the user into Confluence.
There is a fourth optional component that ties into the authentication filter, to provide pattern based URL processing, determining if any special URL patterns should be excluded from the authentication process.
Which flavor is right?
All Atlassian products: Confluence, JIRA, FishEye, Crucible, Bitbucket (formerly Stash), Bamboo, Crowd, SVN
Windows and Linux-based network
Reverse proxy in network
External users and Linux
What is the process?
Implementing the authenticator in your network is a multi-step process, requiring light consulting via AppFusions. The process has been repeated over and over by our engineers in different environments, and pleased to say that it is fairly methodical/streamlined efforts, even with unique configurations for all deployments; it just works.
Here are the steps, in general:
- Complete the AppFusions AD SSO Network Pre-Qualifier Questionaire by copying the questions into email and replying to AppFusions.
- We will reply, if any questions, and/or reply with a "quote to pay" to kick off the effort.
- Set up a staging environment for initial deployment. Since this is login-affecting, we do not deploy on production systems at first. We deploy on your staging with your assist, and you will do the production system, now that you know how (and have documentation to do it.)
- Kick off. The process is usually about a week of back and forth between our team and you network and AD admins. This is managed through a Confluence space that we allocate to you, so we can also have a running set of notes.
Your AppFusions AD Login Authenticator is licensed and includes maintenance updates for one year.
The steps for deployment are:
- Install the AppFusions AD Login Authenticator (from the Marketplace)
- Install the AppFusions Sereph Security Framework Module provided by AppFusions
- Implement Server Configurations per AppFusions provided guidance (these are specific to your network and environment).
- Implement AD configurations (Kerberos only) per AppFusions provided documentation and guidance.
- If applicable, implement customizations per AppFusions provided documentation and guidance.
FAQ (Frequently Asked Questions)
1) Is it possible to have it function between an externally hosted Confluence site and our own internal domain? If so, what are the requirements?
We have done this working closely with our hosting data center. Requirements are:
- Confluence site must be in DNS as an A record
- Confluence site must be able to connect to Kerberos ports. This is done with a secure tunnel configured back to your home office.
2) Can it support multiple domains? We have a two-way read only trust with another domain, and we need a solution that will support users from the trusted domain as well.
We have done multiple domains from different forests.
Customer needs to make sure that usernames from the two domains do not clash since Confluence does not track from what domains the users are.