Single Sign-on Integration with JIRA and Confluence

A Single Sign On system allows users to use a single login for multiple applications. You can integrate JIRA and Confluence with the following SSO systems:

  • Crowd (Recommended) - Atlassian's single sign-on, authentication, authorisation, application provisioning and identity management framework

Additionally, people have reported some degree of success integrating the following SSO systems with JIRA and/or Confluence:

JIRA and Confluence integrate with SSO system Seraph, the Atlassian authentication library. Seraph is a very simple, pluggable J2EE web application security framework developed by Atlassian and used in our products.

Seraph allows you to write custom authenticators which will accept the login creditentials of your existing single sign-on system.

For Confluence 2.2 and above you must extend com.atlassian.confluence.user.ConfluenceAuthenticator instead of the Seraph DefaultAuthenticator.


You can browse user-contributed SSO plugins or check out these examples:

There has been discussion of intergrating with Siteminder on the mailing list that may be applied to JIRA integration. All third-party code must be treated with caution - always backup your Confluence instance before use. If you create a custom SSO plugin and would like to contribute it to the user community, please let us know on a support ticket.

Discussion Forums

Seraph Discussion Forums

Using Confluence and JIRA without SSO

Confluence can also delegate user management to use JIRA logins , but this will not provide you with SSO.

Labels

authentication authentication Delete
seraph seraph Delete
sso sso Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Comments (10)

 

  1. May 25, 2007

    Gary S. Weaver says:

    I confirmed Shibboleth (Internet2 SSO) works: https://spaces.internet2.edu/displ...

    I confirmed Shibboleth (Internet2 SSO) works: https://spaces.internet2.edu/display/SHIB/ShibbolizedConfluence

  2. Aug 07, 2007

    Gary S. Weaver says:

    Have some questions about custom authenticators written for use with an SSO: A...

    Have some questions about custom authenticators written for use with an SSO:

    • As a best practice, what password should be populated in the user's password field if you are autoprovisioning (automatically creating) users as part of the authenticator that is using an SSO for authentication?
      • It seems that it could be a possible security risk to leave password null or even to assign any arbitrary value to it (unless it was very unique).
      • Leaving password null appears to be a problem (issue CONF-9117) with migration of os_user to atlassian-user.
    • What is the best practice to avoid the issue of two different nodes in a cluster both checking at the same time whether a user exists and automatically provisioning the user at the same time (which would cause a unique constraint exception to be thrown from the DB driver)?
    • Should there be any preference given to overriding/implementing login() vs. getUser() in the custom authenticator for this purpose? (getUser() gets called an awful lot, so for sure if you use that, you'll want to attempt to just get and return the user from session first.)
    • Are there any suggestions as whether UserManager or UserAccessor should be used for autoprovisioning users (or creating them in general) for each of the different versions of confluence (both version#, whether using massive, and whether using os_user vs. user-atlassian schema)?

  3. May 02, 2008

    Stefan Kunz says:

    Is there a possibility to use SSO from a Microsoft ISA server for Jira and ...

    Is there a possibility to use SSO from a Microsoft ISA server for Jira and Confluence?

  4. Jun 30, 2008

    Brian Bukowski says:

    We are using Confluence 2.7 with Siteminder for SSO.  How can I remove the ...

    We are using Confluence 2.7 with Siteminder for SSO.  How can I remove the "password" link in Preferences > Edit Profile so that users don't have the ability to change their password?

    1. Jun 30, 2008

      Roberto Dominguez says:

      Administration -> General Configuration -> Security and Privacy -> Exte...

      Administration -> General Configuration -> Security and Privacy -> External User Management set to On

      1. Jul 01, 2008

        Brian Bukowski says:

        Thanks for the response Roberto.  I don't want to turn External User Manage...

        Thanks for the response Roberto.  I don't want to turn External User Management on because I'd still like to manage my groups from within Confluence.  I was wondering how to remove the actual "password" link from the edit profile page.  I managed to find confluence-2.7.war/users/changemypassword.vm, but I'm not sure how to remove the link from the left-hand nav bar. 

        1. Oct 28, 2008

          Jason Koziara says:

          In that same vein - how can I remove the 'Forgot Password?' Link from the login ...

          In that same vein - how can I remove the 'Forgot Password?' Link from the login page?

  5. Dec 17, 2008

    Scott Battaglia says:

    CAS integration with the JASIG CAS Client for Java 3.1 (Confluence) http://www....

    CAS integration with the JASIG CAS Client for Java 3.1 (Confluence)

    http://www.ja-sig.org/wiki/display/CASC/Configuring+Confluence+with+JASIG+CAS+Client+for+Java+3.1

    I'm working on the JIRA integration guide.

  6. May 05, 2009

    Mike Culbertson says:

    I can also confirm a successful test setup using the Confluence 2.10.3  + s...

    I can also confirm a successful test setup using the Confluence 2.10.3  + soulwing CAS client http://www.soulwing.org/confluence-cas.jsp +  rubycas-server http://code.google.com/p/rubycas-server

    rubycas-server took some massaging to get running, but has been working fine since then.  The soulwing CAS client is also working like a champ so far.

  7. Oct 02

    Robert Dale says:

    OpenSSO also works using the Atlassian Seraph authentication provider

    OpenSSO also works using the Atlassian Seraph authentication provider