Atlassian's popular Confluence wiki can quickly be configured to use the atlassian-user libraries to link in single or multiple directory servers through Crowd.
Currently Crowd supports centralised authentication and single sign-on for Confluence versions 2.3 and later.
 | If you are running Confluence version 2.4.4 or earlier, you will need to upgrade the confluence/WEB-INF/lib/atlassian-user-XXXX-XX-XX.jar Atlassian User library to version 2007-04-05. The original library file will need to be backed up, removed, and then replaced with the new version. |
Prerequisites
- Download and install Crowd. Refer to the Crowd installation guide for detailed information on how to do this. We will refer to the Crowd root folder as CROWD.
- Download and install Confluence (version 2.3 or later). Refer to the Confluence installation guide for detailed information on how to do this. We will refer to the Confluence root folder as CONFLUENCE. For the purposes of this document, we will assume that the standalone (ie. the easier) installation method of Confluence has been used. If you need to install Confluence as an EAR/WAR, simply explode the EAR/WAR and make the necessary changes as described below, and repackage the EAR/WAR.
- After Confluence is set up, make sure Confluence is not running when you begin the integration process described below.
Step 1. Configuring Crowd to talk to Confluence
1.1 Prepare Crowd's Directories/Groups/Users for Confluence
The Confluence application will need to authenticate users against a directory configured in Crowd. You will need to set up a directory in Crowd for Confluence. For more information on how to do this, see 2.2 Adding a Directory. We will assume that the directory is called Confluence Directory for the rest of this document. It is possible to assign more than one directory for an application, but for the purposes of this example, we will use Confluence Directory to house Confluence users.
Confluence also requires particular groups to exist in the directory in order to authenticate users. You will need to create two groups in the Confluence Directory:
- confluence-users
- confluence-administrators
See the documentation on Creating Groups for more information on how to define these groups.
You also need to ensure that the Confluence Directory contains at least one user who is a member of both groups. You can either:
- If you have an existing Confluence deployment and would like to import existing users (principals) and groups into Crowd, use the Confluence Importer tool by navigating to Principals > Import Users > Confluence. Select the Confluence Directory as the directory into which Confluence users will be imported. For details please see 2.4.1 Importing Users from Atlassian Confluence.
If you are going to import users into Crowd, you need to do this now before you proceed any further.
OR:
- If you don't wish to import your Confluence users, make sure you use Crowd to create at least one principal in the Confluence Directory and assign them to both the confluence-users and confluence-administrators group. If you don't wish to import your JIRA users, use the Crowd Administration Console to create the three groups, then create at least one principal in the JIRA Directory and add them to the three JIRA-specific groups (above). The Crowd documentation has more information on creating groups, creating principals and assigning principals to groups.
1.2 Define the Confluence Application in Crowd
Crowd needs to be aware that the Confluence application will be making authentication requests to Crowd. We need to add the Confluence application to Crowd and map it to the Confluence Directory:
- Log in to the Crowd Administration Console and navigate to Applications > Add Application.
- Fill out the form to add the Confluence application:
| Attribute |
Description |
| Name |
The username which the application will use when it authenticates against the Crowd framework as a client. This value must be unique, i.e. it cannot be used by more than one application client. |
| Description |
A short description of the application. Note: a web URL is often helpful. |
| Active |
Only deselect this if you wish to prevent all users (from all directories) from accessing this application. |
| Password |
The password which the application will use when it authenticates against the Crowd framework as a client. |
| Default Directory |
A directory that contains relevant users. Note: additional directories can be added later. |
The Name and Password values must match the application.name and application.password that you set in the CONFLUENCE/confluence/WEB-INF/classes/crowd.properties (see Step 2 below)
1.3 Specify which users can log in to Confluence
Now that Crowd is aware of the Confluence application, Crowd needs to know which users can authenticate (log in) to Confluence via Crowd. You can either allow entire directories to authenticate, or just particular groups within the directories. In our example, we will allow the confluence-users and confluence-administrators groups within the Confluence Directory to authenticate:
For details please see 3.4 Specifying which Groups can access an Application.
1.4 Specify the address from which Confluence can log in to Crowd
Please see 3.5 Specifying an Application's Address or Hostname. Please note:
- If Confluence is on a different host to Crowd
If you are running the Confluence on a different host to Crowd, you will need to modify the permissible hosts via the Remote Addresses tab. This lists the hosts/IP addresses that are allowed to authenticate to Crowd. If Confluence is remote to Crowd, add the IP address of your Confluence server and ensure the "Status" field is set to "true". Remove the entry for localhost.
- If Confluence is on the same host as Crowd
By default, when you add an application, localhost is a permissible foreign host. However, you will also need to manually add the IP address 127.0.0.1, as incoming requests to Crowd from Confluence (both on the same, local, host) may be from the host 127.0.0.1 and not localhost. Crowd does not do a DNS lookup of the hostname; rather, it compares the values as is. Ensure the "Status" field is set to "true".
Step 2. Configuring Confluence to talk to Crowd
2.1 Install the Crowd Client Libraries into Confluence
Confluence needs Crowd's client libraries in order to be able to delegate user authentication to the Crowd application. As stated earlier, we are going to be modifying the Confluence application by editing the standalone application, which is an exploded WAR stored in CONFLUENCE/confluence.
- Copy the Crowd client libraries and configuration files to Confluence (this is described in the Client Configuration documentation). This is summarised below:
| Copy From |
Copy To |
| CROWD/client/*.jar |
CONFLUENCE/confluence/WEB-INF/lib |
| CROWD/client/conf/crowd.properties |
CONFLUENCE/confluence/WEB-INF/classes |
There is no need to copy across anything from CROWD/client/lib. All the required libraries from there already exist in Confluence versions 2.3 and later.
- This step only applies if you are using Confluence 2.5.6 or later:
Copy the file crowd-integration-bamboo-1.1.1.jar from here:
http://confluence.atlassian.com/download/attachments/198785/crowd-integration-bamboo-1.1.1.jar?version=1
to here:
CONFLUENCE/confluence/WEB-INF/lib
- Edit CONFLUENCE/confluence/WEB-INF/classes/crowd.properties. Change the following properties:
If your Crowd server's port is configured differently from the default (i.e. 8095), set it accordingly. The application.name and application.password must match the Name and Password that you specified when defining the application in Crowd (see Step 1 above).
2.2 Configure Confluence to use Crowd's Authenticator
Now that the Crowd client libraries exist, we need to configure Confluence to use them.
- This sub-step applies to Confluence 2.5.5 and earlier only:
Edit the CONFLUENCE/confluence/WEB-INF/classes/atlassian-user.xml file and uncomment the following:
<repository key="crowd" class="com.atlassian.crowd.integration.atlassianuser.CrowdRepository">
<classes>
<processor>com.atlassian.crowd.integration.atlassianuser.CrowdRepositoryProcessor</processor>
<userManager>com.atlassian.crowd.integration.atlassianuser.CrowdUserManager</userManager>
<groupManager>com.atlassian.crowd.integration.atlassianuser.CrowdGroupManager</groupManager>
<authenticator>com.atlassian.crowd.integration.atlassianuser.CrowdAuthenticator</authenticator>
<propertySetFactory>com.atlassian.crowd.integration.atlassianuser.CrowdPropertySetFactory</propertySetFactory>
<entityQueryParser>com.atlassian.crowd.integration.atlassianuser.CrowdEntityQueryParser</entityQueryParser>
</classes>
</repository>
- This sub-step applies to Confluence 2.5.6 and later only:
Edit the CONFLUENCE/confluence/WEB-INF/classes/atlassian-user.xml file and add the following new entry:
<crowd key="crowd" name="Crowd Repository"/>
- You will need to comment out the other repositories, eg:
This will tell Confluence to use Crowd's user repository for user management.
- At this stage, Confluence is set up for centralised authentication. If you wish to enable single sign-on (SSO) to Confluence, edit CONFLUENCE/confluence/webapp/WEB-INF/classes/seraph-config.xml. Change the authenticator node to read:
<authenticator class="com.atlassian.crowd.integration.seraph.ConfluenceAuthenticator"/>
Confluence's authentication and access request calls will now be performed using Seraph.
2.3 Enable Confluence's 'External User Management'
Once the setup is complete, you may optionally wish to enable a Confluence feature known as 'External User Management', to prevent Confluence administrators from creating/modifying principals. For more information please see the Confluence documentation regarding External User Management.
| If you have imported Confluence users into Crowd, you may want to delay turning on 'External User Management' for a week or two, to give users time to reset their passwords. (Because users' passwords are encrypted in Confluence's database, they will not be copied across to Crowd.) |
See Crowd in Action
- You should now be able to login using principals belonging to the confluence-users group. Try adding a principal to the group using Crowd — you should be able to login to Confluence using this newly created principal. That's centralised authentication in action!
- If you have enabled SSO, you can try adding the Confluence Directory and confluence-administrators group to the crowd application (see 3.3 Mapping a Directory to an Application and 3.4 Specifying which Groups can access an Application). This will allow Confluence administrators to log in to the Crowd Administration Console. Try logging in to Crowd as a Confluence administrator, and then point your browser at Confluence. You should be logged in as the same principal in Confluence. That's single sign-on in action!
Related Topics
Crowd 1.0 Documentation
Comments (14)
Nov 28, 2006
Anonymous says:
It looks like the httpclient library that comes with Confluence (commonshttpclie...It looks like the httpclient library that comes with Confluence (commons-httpclient-2.0.2.jar) doesn't work with the Crowd integration. It works ok if you get rid of that one and add the 3.0 version (commons-httpclient-3.0.jar) from Crowd. I'm using Confluence 2.2.2.
Dec 27, 2006
Justen Stepka says:
It appears there are also conflicts with other libs, where you will want to use ...It appears there are also conflicts with other libs, where you will want to use the following versions of jars:
Make sure there are not two different versions of the same library or Confluence will fail to property load.
Jan 17, 2007
Collin Summers says:
If we are using LDAP today for all of our users what happens if I move to Crowd?...If we are using LDAP today for all of our users what happens if I move to Crowd? How should one go about migrate from direct LDAP to Crowd?
I am worried about losing the links between people and the content they created as well as space permissions.
Jan 23, 2007
Justen Stepka says:
So long as the user names are the same all relationships will remain the same. I...So long as the user names are the same all relationships will remain the same.
If you remove a user in the future confluence will displace the username as 'Anonymous'.
Jan 24, 2007
Bart says:
Is that just the label that will change to 'Anonymous', or is it a irreversible ...Is that just the label that will change to 'Anonymous', or is it a irreversible change of Confluence data? What happens if the username is added again to a directory in a later moment? Will the username be displaced back by the original creator or modifier name? How is Jira handling this? What do you mean in the future? How is it working then today?
Feb 02, 2007
Dan Hardiker says:
I've got Crowd 0.7.2 running fine and I have it integrated with 3 applications: ...I've got Crowd 0.7.2 running fine and I have it integrated with 3 applications:
Crowd, JIRA, and Confluence v2.3.1 are all on the same machine - Confluence v2.2.4 is on the same LAN. Access to crowd is behind Apache 2 with mod_proxy.
I have turned on External User Management in Confluence (although I would like to reverse that as I want to use the normal Confluence user management API so that user/group managing plugins still work) but this has made no effect.
While monitoring the Apache logs around Crowd I notice:
It should be noted that I measured these by clearing the Apache log before the request, making the request and then counting the lines that were in the log file after the page had loaded.
It should also be noted that we are using the Builder theme which does a fair amount of permission checking when building the menus - however this should still be cached effectively to negate the impact.
Am I doing something wrong? I am sure this isn't the performance I can expect!
Feb 02, 2007
Guy Fraser says:
With regards to Builder menus, they do herds of permission checks depending on w...With regards to Builder menus, they do herds of permission checks depending on which menu items are used. However, they cache internally to avoid repeat checks on permissions for the same page view.
Feb 02, 2007
Dan Hardiker says:
Even if they weren't cached by Builder, I would expect the Crowd client to be ca...Even if they weren't cached by Builder, I would expect the Crowd client to be caching them so that they were still only requested inside of the application (removing redundant checks from causing consultation with the Crowd server).
I can clearly see the option in the Crowd configuration site for setting the caching on the server, but are there similar settings for the client?
Feb 02, 2007
Justen Stepka says:
You will want to make sure you have caching enabled in the server or else the cl...You will want to make sure you have caching enabled in the server or else the client will not cache any downloaded data from the Crowd server.
Feb 02, 2007
Dan Hardiker says:
I've found that Confluence can manage Crowd if I don't turn off the External Use...I've found that Confluence can manage Crowd if I don't turn off the External User Management ... are there any unexpected side effects to doing this?
I cant say I've noticed any performance differences regardless of this settings state.
Feb 13, 2007
Juha Sadeharju says:
Using Confluence 2.3.2 and Crowd 0.4.4, I cannot view my own profile or preferen...Using Confluence 2.3.2 and Crowd 0.4.4, I cannot view my own profile or preferences. Says "You are not permitted to perform this operation." Everything else seems to work (surprisingly well).
If this is a configuration issue, does anyone know where and what to look for?
Feb 23, 2007
Anonymous says:
I am having the exact same problem as well using Confluence and Crowd. One other...I am having the exact same problem as well using Confluence and Crowd.
One other issue i noticed (feel free to examine on your machine) is that only creators of spaces are allowed access to the "Space Admin" page. I noticed this when I imported a site that was created from another user (not in the LDAP directory), and now there is no way to delete the site since I cannot administer it.
Anyone else run into this problem as well?
Feb 23, 2007
Juha Sadeharju says:
I got rid of that problem. When I was experiencing that issue I was running a st...I got rid of that problem. When I was experiencing that issue I was running a standalone Confluence with HSQLdb, in Windows.
Did a fresh install to RHEL4 using mysql and the problem disappeared.
I think I did the configs exactly the same, so afaik the only variables that changed were OS and database.
Feb 21, 2007
Anonymous says:
For anyone who is stuck with "Repository key cannot be null", please be aware th...For anyone who is stuck with "Repository key cannot be null", please be aware that the newer builds of Confluence to not include key="crowd" in atlassian-user.xml
I noticed that a lot of newer releases of Confluence and JIRA already have the crowd code included it's just commented out.