This documentation relates to Crowd 2.4.
If you are using an earlier version, please view the previous versions of the Crowd documentation and select the relevant version.
Skip to end of metadata
Comment: Corrected links that should have been relative instead of absolute.
Go to start of metadata

Atlassian's popular Confluence wiki can quickly be configured to use Crowd for user and group management.

On this page:

If you are using NTLM for Windows authentication, you may want to read about configuring Crowd's Confluence NTLM plugin for single sign-on.

Compatibility of Confluence and Crowd Versions

Please ensure that your Crowd and Confluence versions are compatible:

  • Crowd versions 1.2 and later support Confluence 2.6.2 and later.
  • This version of Crowd does not support Confluence 2.6.1 or earlier.
  • If you are using Confluence 2.8 or later, please upgrade to Crowd 1.3.2 or later.
    Explanation: With Confluence 2.8 the atlassian-user interface has changed, and Crowd 1.3.2 provides the required update to Crowd's atlassian-user integration module.
  • If you are using Confluence 3.5 or later, please upgrade to Crowd 2.1 or later.
    Explanation: With Confluence 3.5 and higher, the communication between Confluence and Crowd has been changed from SOAP to REST.

Prerequisites

Do not deploy multiple Atlassian applications in a single Tomcat container.

Deploying multiple Atlassian applications in a single Tomcat container is not supported. We do not test this configuration and upgrading any of the applications (even for point releases) is likely to break it. There are also a number of known issues with this configuration. See this FAQ for more information.

There are also a number of practical reasons why we do not support deploying multiple Atlassian applications in a single Tomcat container. Firstly, you must shut down Tomcat to upgrade any application and secondly, if one application crashes, the other applications running in that Tomcat container will be inaccessible.

Finally, we recommend not deploying any other applications to the same Tomcat container that runs Crowd, especially if these other applications have large memory requirements or require additional libraries in Tomcat's lib subdirectory.

  1. Download and install Crowd. Refer to the Crowd installation guide for instructions. We will refer to the Crowd root folder as CROWD.
  2. Download and install Confluence (version 2.6.2 or later). Refer to the Confluence installation guide for instructions. We will refer to the Confluence root folder as CONFLUENCE. For the purposes of this document, we will assume that you have used the Crowd distribution (not EAR-WAR) (i.e. the easier) installation method of Confluence. If you need to install Confluence as an EAR/WAR, simply explode the EAR/WAR and make the necessary changes as described below, then repackage the EAR/WAR.
  3. Run the Confluence Setup Wizard, as described in the Confluence documentation. During this setup process, you will define the Confluence administrator's username and password. It is easier to do this before you integrate Confluence with Crowd.
  4. After setting up Confluence, shut down Confluence before you begin the integration process described below.

Step 1. Configuring Crowd to Talk to Confluence

1.1 Prepare Crowd's Directories/Groups/Users for Confluence

The Confluence application will need to authenticate users against a directory configured in Crowd. You will need to set up a directory in Crowd for Confluence. For more information on how to do this, see Adding a Directory. We will assume that the directory is called Confluence Directory for the rest of this document. It is possible to assign more than one directory for an application, but for the purposes of this example, we will use Confluence Directory to house Confluence users.

Confluence also requires particular groups to exist in the directory in order to authenticate users. You will need to create two groups in the Confluence Directory:

  1. confluence-users
  2. confluence-administrators

See the documentation on Creating Groups for more information on how to define these groups.

You also need to ensure that the Confluence Directory contains at least one user who is a member of both groups. Choose one of the two options below:

  • If you have an existing Confluence deployment and would like to import existing users and groups into Crowd, use the Confluence Importer tool by navigating to Users > Import Users > Atlassian Importer. Select 'Confluence' as the Atlassian product, and the Confluence Directory as the directory into which Confluence users will be imported. For details please see Importing Users from Atlassian Confluence.

    If you are going to import users into Crowd, you need to do this now before you proceed any further


    OR:

  • If you don't wish to import your Confluence users, make sure you use Crowd to create at least one user in the Confluence Directory and assign them to both the confluence-users and the confluence-administrators group. The Crowd documentation has more information on creating groups, creating users and assigning users to groups.

1.2 Define the Confluence Application in Crowd

Crowd needs to be aware that the Confluence application will be making authentication requests to Crowd. We need to add the Confluence application to Crowd and map it to the Confluence Directory:

  1. Log in to the Crowd Administration Console and navigate to Applications > Add Application.

  2. Complete the 'Add Application' wizard for the Confluence application. See the instructions.

    The Name and Password values you specify in the 'Add Application' wizard must match the application.name and application.password that you will set in the CONFLUENCE/confluence/WEB-INF/classes/crowd.properties file. (See Step 2 below.)

1.3 Specify which Users can Log In to Confluence

Once Crowd is aware of the Confluence application, Crowd needs to know which users can authenticate (log in) to Confluence via Crowd. As part of the 'Add Application' wizard, you will set up your directories and group authorisations for the application. If necessary, you can adjust these settings after completing the wizard. Below are some examples.

You can either allow entire directories to authenticate, or just particular groups within the directories. In our example, we will allow the confluence-users and confluence-administrators groups within the Confluence Directory to authenticate:

For details please see Specifying which Groups can access an Application.

1.4 Specify the Address from which Confluence can Log In to Crowd

As part of the 'Add Application' wizard, you will set up Confluence's IP address. This is the address which Confluence will use to authenticate to Crowd. If necessary you can add a hostname, in addition to the IP address, after completing the wizard. See Specifying an Application's Address or Hostname.

Step 2. Configuring Confluence to talk to Crowd

The instructions for step 2 below apply to Confluence 3.5 or newer. If you use Confluence 3.4 or older, please follow "Step 2" on Integrating Crowd with Atlassian Confluence 3.4 or earlier instead.

2.1 Add a Crowd Directory in Confluence

Confluence can use Crowd for user authentication simply by adding the 'Atlassian Crowd' user directory.

  1. Log in to Confluence Admin as 'confluence-administrator'.
  2. Click on the 'User Directories' label of the left bar under the 'Security' tab.
  3. Click 'Add Directory'. Then select 'Atlassian Crowd' from the dropdown list. Click 'Next'.
  4. Enter connection parameters and save. Now a new Crowd directory should appear on the user directory list.

For more information on configuring a Crowd remote directory in Confluence, check out the Confluence documentation on Connecting to Crowd or JIRA for User Management.

2.2 Enable SSO integration with Crowd (Optional)

  1. If Confluence is running, shut it down first.

  2. Now, edit the file CONFLUENCE/confluence/WEB-INF/classes/seraph-config.xml
    Comment out the line:-

    Uncomment the line:-

  3. Copy the crowd.properties file from CROWD/client/conf/ to CONFLUENCE/confluence/WEB-INF/classes.

  4. Edit CONFLUENCE/confluence/WEB-INF/classes/crowd.properties. Change the following properties:

    Key

    Value

    application.name

    confluence
    The application.name and application.password must match the Name and Password that you specified when defining the application in Crowd (see Step 1 above).

    application.password

    The application.name and application.password must match the Name and Password that you specified when defining the application in Crowd (see Step 1 above).

    crowd.base.url

    http://localhost:8095/crowd/
    If your Crowd server's port is configured differently from the default (i.e. 8095), set it accordingly.

    session.validationinterval

    This is the number of minutes between validation requests, when Crowd validates whether the user is logged in to or out of the Crowd SSO server. Set to the required number of minutes between validation requests. The recommended default is 2 minutes. Setting this value to 1 or higher will increase the performance of Crowd's integration.

    Setting this value to 0 will cause the application to perform authentication checks on each request but can cause poor performance, especially with Crowd 2.1 - Crowd 2.3.2 using REST due to CWD-2646.

It is possible to define multiple user directories in Confluence. However, if you enable SSO integration, you will only be able to authenticate as users from the Crowd server defined in the crowd.properties file.

You can read more about optional settings in the crowd.properties file.

See Crowd in Action

  • Users belonging to the confluence-users group should now be able to log in to Confluence.
  • Try adding a user to the confluence-users group using Crowd — you should be able to log in to Confluence using this newly created user. That's centralised authentication in action!
  • If you have enabled SSO, you can try adding the Confluence Directory and confluence-administrators group to the crowd application (see Mapping a Directory to an Application and Specifying which Groups can access an Application). This will allow Confluence administrators to log in to the Crowd Administration Console. Try logging in to Crowd as a Confluence administrator, and then point your browser at Confluence. You should be logged in as the same user in Confluence. That's single sign-on in action!
RELATED TOPICS

Crowd Documentation

11 Comments

Hide/Show Comments

  1. Oct 26, 2010

    Dave Thomas

    Confluence 3.3 and above apparently do not bundle [xfire-all-1.2.6|http://repository.codehaus.org/org/codehaus/xfire/xfire-all/1.2.6/xfire-all-1.2.6.jar] any more.   As a result, Confluence will not talk to Crowd properly if you're running behind a firewall and you're also trying to use Confluence to access the internet (using the UPM, for example).    In this scenario, you'll typically have a couple of settings in the environment:

    -Dhttp.proxyHost=myproxy.mydomain.com
-Dhttp.proxyPort=8080
-Dhttp.nonProxyHosts=*.mydomain.com\|localhost

    Without all the xfire components, Confluence will ignore the nonProxyHosts setting and as a result will be unable to talk to Crowd.  In order to fix this, you can either replace the existing xfire components with xfire-all or you can add xfire-java5-1.2.6.

    See http://jira.atlassian.com/browse/CONF-20877

  2. Apr 12, 2011

    gumshoes

    In older versions of Confluence (3.3 for sure) the Crowd integration had to be configured via the files:

    /confluence/WEB-INF/classes/seraph-config.xml
/confluence/WEB-INF/classes/crowd.properties

    Is it still possible to configure Crowd integration using exclusively config files in 3.5?
    I used to be able to download a new version of Confluence standalone, edit some config files, start it it up and it would be using my Crowd instance. Is this still possible with 3.5?

    Thanks

    1. Apr 12, 2011

      Sarah Maddox [Atlassian Technical Writer]

      Hallo gumshoes
      No, it's not possible to configure Crowd integration with Confluence using the XML files. Apart from the SSO integration described in step 2.2, all the configuration is done via the UI. (smile)
      Cheers
      Sarah

      1. Apr 12, 2011

        gumshoes

        Good to know. So how would you recommend users upgrade confluence then? At present I:

        1. copy prod DB to dev DB
        2. download newest Confluence (standalone)
          1. extract
          2. edit config files so that it uses dev DB and Crowd
        3. start up
        4. Confluence upgrades the DB in place
        5. I log in

        Is it possible to do something akin to the above now?
        My attempt to do it this way with 3.5 left me unable to log in at all.

        1. Apr 12, 2011

          Sarah Maddox [Atlassian Technical Writer]

          Hallo again gumshoes (smile)

          There are some instructions in the Confluence 3.5 upgrade notes. Let me know if they help, or not.

          Cheers, Sarah

          1. Apr 13, 2011

            gumshoes

            Thanks, those docs got me closer to a solution.
            I had to do one additional thing in order to upgrade and that was to update the following file:

            /confluence/WEB-INF/classes/crowd.properties

            Without this change Confluence could not find Crowd.

  3. May 24, 2011

    Anonymous

    Guys we are having Crowd 2.0.2 with Confluence 3.0.1. We plan to Upgrade Confluence. First we decided to upgrade to the latest confluence 3.5.4, saw a bug in the release version (https://jira.atlassian.com/browse/CONF-22528.) applied patch and understood later that the it needs Crowd 2.1 or above.

    Then we decided to upgrade confluence to version 3.4.9 only to avoid Crowd Upgrade and found that Confluence 3.4.9 need Crowd 2.0.7!!! http://forums.atlassian.com/thread.jspa?threadID=49848&tstart=2&messageID=257361666

    Why is that you are not providing a single compatibility table in which you clearly document which version of your product are compatible to which other version of your own products. This will enable customers like us to have less surprises! Today I have lost my time and most of off all started losing trust on your release primarily because :

    • Your QA is sounding not so fair!
    • Your documentation on Compatibility with your own other suite of product is really poor!!

    Architect,
    Banca Sella

  4. Sep 28, 2011

    Kimberly McKinnis

    Do you need a Confluence directory in Crowd if you're going to authenticate against an LDAP directory? I didn't have to create an application directory when I integrated Jira with Crowd.

  5. Oct 13, 2011

    Marco

    Are these instructions still valid for Confluence 4.0?

    1. Oct 17, 2011

      Niraj Bhawnani [Atlassian]

      Hi Marco, yes these instructions are still valid for Confluence 4.0. Are you experiencing any trouble with them?

      1. Oct 17, 2011

        Marco

        @Niraj,

        Thanks for responding.

        No we have not run into any issues but we stopped with the implementation shortly before starting on the integration with CROWD. We will resume once we received our JIRA Studio backup data as other projects had currently more priority.