SSO Authenticator for AD/ADFS/LDAP and Atlassian Servers (via Kerberos)
Single sign-on authenticator for Active Directory/Active Directory Federation Service/LDAP, including full support for Confluence, JIRA, Bitbucket Server (formerly Stash), Crowd, Bamboo, FishEye, Crucible, SVN
AppFusions has been deploying and supporting this Kerberos integration since October 2011. Simplified, guided, supported deployments specific to your network, all inclusive.
Also, ask us also about SAML2 SSO deployments. Fortune 500 references from 2014 deployments.
The AppFusions' Kerberos SSO Authenticators are Java-based authentication solutions that enables Windows SSO authentication for the Atlassian products in your enterprise.
- Bitbucket Server(formerly Stash)
- FishEye (per repository permissions not supported)
- Crowd (optional; you still also need authenticators also for the independent applications)
- SVN (not an Atlassian product, but still)
We've deployed SSO for Atlassian products over 200+ times and counting!
This is an inclusive service/licensed package encompassing our field experience with many different networks, environments, browsers, operating systems and customer requirements See testimonials of this popular service - we can provide more upon request!
Kerberos Authenticator Features
- Provides Windows authentication using SPNEGO (Kerberos over HTTP)
- More secure than NTLM (see our comparison here)
- Fallback to basic authentication for clients not joined to your domain
- Allows custom applications and plugins to bypass Kerberos to access remote APIs (REST and SOAP)
- Option to fallback to default form logon for non-Windows clients (iOS, Android, Linux, Macs, etc.)
- Option to fallback to default form logon for internet clients (requires defining intranet subnets)
Microsoft no longer recommends NTLM!Icon
According to this Wikipedia article on NTLM, "Microsoft no longer recommends NTLM in applications". This message is further permeated in their official NT LAN Manager (NTLM) Authentication Protocol Specification (Microsoft; 2010-08-16) documentation: "Security Considerations with NTLM".
Consequently, AppFusions also does not recommend NTLM (even though we can and have deployed NTLM solutions on rare occasions for customers, upon request).
AppFusions has prepared our short comparison tables of the different approaches here and here. FYI only.
Architecture Flow Diagram
The Kerberos SSO over HTTP authentication flow is as follows:
- User gets a Kerberos ticket from Active Directory during Windows login to a domain joined PC.
- With a Kerberos-enabled browser (MSIE, Chrome, and Firefox), the user accesses an Atlassian web application protected by the AppFusions Kerberos SSO Authenticator.
- The AppFusions Kerberos SSO Authenticator denies access to the browser with a 401 response and negotiates with the browser to use Kerberos for authentication or fall back to basic authentication if Kerberos is not possible.
- If Kerberos is negotiated, the web browser gets a service ticket from a domain controller for authentication.
- The web browser sends the service ticket to the AppFusions Kerberos SSO Authenticator for validation with a domain controller.
- Upon service ticket validation, the AppFusions Kerberos SSO Authenticator uses Atlassian Seraph to log the user into the Atlassian web application.
Our engineer will work with you to set this up - we do not expect you to do it on your own.
- Our process is methodical and optimized to get it done quickly, so we need to control the approach for most-efficient troubleshooting. Networks are complicated, and SSO is complicated, and we cannot have random settings conflicting.
- Upon purchase, you will be delegated an acct to our client wiki, where we will collaborate about your environment and guide you through the configuration for your deployment on your staging environment.
- There will be a little back and forth on this, but typically this is completed within a couple days to a week, most.
- Once deployed to your staging, you can replicate the process on your production system with the artifacts we have provided you.
We insist on hearing back about your success. Why do it, if not successful, we figure.
"AppFusions have a simple yet elegant solution to getting SSO up and running for Confluence. Switching it on and off for debugging and maintenance is easy to do by simply substituting files. AppFusions also provided constant support while we tested and set up SSO in our system. They have a solid method of troubleshooting errors and working systematically towards the solution. For the price they make this available, this plugin is a steal!"
– Jonas Lindstrom, Appelsiini
“I engaged with AppFusions to help us integrate Kerberos / Active Directory for user accounts on a Confluence project we were working on. Zero complaints - they were great from start to finish, moved quickly and got the job done. We worked together about 12 months ago and have had 0 issues or support requests since.”
– Alex Blom Helix Commerce
If you would like to evaluate the AppFusions' SSO Authenticator for AD and Atlassian (Kerberos SSO integrated with Confluence, JIRA, or other products), you must purchase the plugin + service first since it is not a plug and play solution, given numerous environment considerations that we must evaluate with you before and during deployment.
We will then deploy it to your staging. To request more info, send email to firstname.lastname@example.org.