SSO Authenticator for AD/ADFS/LDAP and Atlassian Servers (via Kerberos)
Single sign-on authenticator for Active Directory/Active Directory Federation Service/LDAP, including full support for Confluence, JIRA, Bitbucket Server (formerly Stash), Crowd, Bamboo, FishEye, Crucible, SVN
Atlassian SSO Technical Deployment Details
The AppFusions Kerberos SSO Authenticator is a Java-based Keberos authentication solution that enables Windows authentication for the Atlassian products in your enterprise.
- Provides Windows authentication using SPNEGO (Kerberos over HTTP)
- More secure than NTLM (see our comparison here)
- Fallback to basic authentication for clients not joined to your domain
- Allows custom applications and plugins to bypass Kerberos to access remote APIs (REST and SOAP)
- Option to fallback to default form logon for non-Windows clients (iOS, Android, Linux, Macs, etc.)
- Option to fallback to default form logon for internet clients (requires defining intranet subnets)
Atlassian Products supported
- FishEye (per repository permissions not supported)
- Crowd (optional; you still also need authenticators also for the independent applications)
- SVN (not Atlassian's but still)
Base URL of web application must be in DNS as an A record.
Web application can access a domain controller's Kerberos port 88 (tcp and udp).
System clock of domain controller, application server, and user computer must be in sync.
How does SPNEGO (Kerberos over HTTP) works?
The Kerberos SSO over HTTP authentication flow is as follows:
- User gets a Kerberos ticket from Active Directory during Windows login to a domain joined PC.
- With a Kerberos-enabled browser (MSIE, Chrome, and Firefox), the user accesses an Atlassian web application protected by the AppFusions Kerberos SSO Authenticator.
- The AppFusions Kerberos SSO Authenticator denies access to the browser with a 401 response and negotiates with the browser to use Kerberos for authentication or fall back to basic authentication if Kerberos is not possible.
- If Kerberos is negotiated, the web browser gets a service ticket from a domain controller for authentication.
- The web browser sends the service ticket to the AppFusions Kerberos SSO Authenticator for validation with a domain controller.
- Upon service ticket validation, the AppFusions Kerberos SSO Authenticator uses Atlassian Seraph to log the user into the Atlassian web application.