Skip to end of metadata
Comment: Replaced NTLM with Kerberos and added Crucible to the AppFusions list
Go to start of metadata

The content on this page relates to platforms which are not supported for Confluence and JIRA. Consequently, Atlassian can not guarantee providing any support for these solutions. Please be aware that this material is provided for your information only and using it is done so at your own risk. Note that Crowd, as an Atlassian product, is supported.

A Single Sign On system allows users to use a single login for multiple applications. You can integrate JIRA and Confluence with the following SSO systems:

  • Crowd (Recommended) - Atlassian's single sign-on, authentication, authorisation, application provisioning and identity management framework

Additionally, people have reported some degree of success integrating the following SSO systems with JIRA and/or Confluence:

Writing a custom authenticator

JIRA and Confluence integrate with SSO system Seraph, the Atlassian authentication library. Seraph is a very simple, pluggable J2EE web application security framework developed by Atlassian and used in our products.

Seraph allows you to write custom authenticators which will accept the login creditentials of your existing single sign-on system.

A few tips for writing your own custom authenticator for Confluence:

  • For Confluence 2.2 and above you must extend com.atlassian.confluence.user.ConfluenceAuthenticator instead of the Seraph DefaultAuthenticator.
  • The authenticator should not be a plugin. It should be placed in the class path by putting it in WEB-INF/classes or as a jar in WEB-INF/lib
  • The authenticator should have a public constructor that takes no arguments.
  • Dependency injection via setters or auto-wiring by name is not available to authenticators. Use ContainerManager.getInstance(...) instead.
  • The authenticators are constructed before beans are available via ContainerManager.getInstance(...), so the getInstance method needs to be called at runtime and not in the constructor.

Existing custom authenticators

Check out these examples:

There has been discussion of integrating with Siteminder on the mailing list that may be applied to JIRA integration. All third-party code must be treated with caution - always backup your Confluence instance before use. If you create a custom SSO plugin and would like to contribute it to the user community, please let us know on a support ticket.

Discussion Forums

Seraph Discussion Forums

Using Confluence and JIRA without SSO

Confluence can also delegate user management to use JIRA logins , but this will not provide you with SSO.

11 Comments

Hide/Show Comments

  1. May 25, 2007

    Gary S. Weaver

    I confirmed Shibboleth (Internet2 SSO) works: https://spaces.internet2.edu/display/SHIB/ShibbolizedConfluence

  2. Aug 07, 2007

    Gary S. Weaver

    Have some questions about custom authenticators written for use with an SSO:

    • As a best practice, what password should be populated in the user's password field if you are autoprovisioning (automatically creating) users as part of the authenticator that is using an SSO for authentication?
      • It seems that it could be a possible security risk to leave password null or even to assign any arbitrary value to it (unless it was very unique).
      • Leaving password null appears to be a problem (issue CONF-9117) with migration of os_user to atlassian-user.
    • What is the best practice to avoid the issue of two different nodes in a cluster both checking at the same time whether a user exists and automatically provisioning the user at the same time (which would cause a unique constraint exception to be thrown from the DB driver)?
    • Should there be any preference given to overriding/implementing login() vs. getUser() in the custom authenticator for this purpose? (getUser() gets called an awful lot, so for sure if you use that, you'll want to attempt to just get and return the user from session first.)
    • Are there any suggestions as whether UserManager or UserAccessor should be used for autoprovisioning users (or creating them in general) for each of the different versions of confluence (both version#, whether using massive, and whether using os_user vs. user-atlassian schema)?

  3. May 02, 2008

    Stefan Kunz

    Is there a possibility to use SSO from a Microsoft ISA server for Jira and Confluence?

  4. Jun 30, 2008

    Brian Bukowski

    We are using Confluence 2.7 with Siteminder for SSO.  How can I remove the "password" link in Preferences > Edit Profile so that users don't have the ability to change their password?

    1. Jun 30, 2008

      Roberto Dominguez

      Administration -> General Configuration -> Security and Privacy -> External User Management set to On

      1. Jul 01, 2008

        Brian Bukowski

        Thanks for the response Roberto.  I don't want to turn External User Management on because I'd still like to manage my groups from within Confluence.  I was wondering how to remove the actual "password" link from the edit profile page.  I managed to find confluence-2.7.war/users/changemypassword.vm, but I'm not sure how to remove the link from the left-hand nav bar. 

        1. Oct 28, 2008

          Jason Koziara

          In that same vein - how can I remove the 'Forgot Password?' Link from the login page?

  5. Dec 17, 2008

    Scott Battaglia

    CAS integration with the JASIG CAS Client for Java 3.1 (Confluence)

    http://www.ja-sig.org/wiki/display/CASC/Configuring+Confluence+with+JASIG+CAS+Client+for+Java+3.1

    I'm working on the JIRA integration guide.

  6. May 05, 2009

    Mike Culbertson

    I can also confirm a successful test setup using the Confluence 2.10.3  + soulwing CAS client http://www.soulwing.org/confluence-cas.jsp +  rubycas-server http://code.google.com/p/rubycas-server

    rubycas-server took some massaging to get running, but has been working fine since then.  The soulwing CAS client is also working like a champ so far.

  7. Oct 02, 2009

    Robert Dale

    OpenSSO also works using the Atlassian Seraph authentication provider

  8. Jan 28, 2011

    Igor Dobrovolskyi

    How to configure Jira to work with Josso

    How to configure Confluence to work with Josso