Summary

This Knowledge Base Article provides you with a quick tutorial on what is necessary to set up Single Sign-On (SSO) authentication between Bamboo and Crowd.

Notes

This tutorial will follow Example 1 in Overview of SSO.

Setting up Apache

Please, find below a sample configuration in Apache setting up a VirtualHost for each of the application:

Crowd

<VirtualHost *:80>
    ServerName crowd.mydomain.com
     
    ErrorLog /etc/apache2/logs/crowd-error.log
    CustomLog /etc/apache2/logs/crowd-access.log combined
 
    ProxyRequests Off
    ProxyPreserveHost On
    <Proxy *>
       Order deny,allow
       Allow from all
    </Proxy>
 
    ProxyPass / http://localhost:8095/
    ProxyPassReverse / http://localhost:8095/
</VirtualHost>

Bamboo

<VirtualHost *:80>
    ServerName bamboo.mydomain.com
     
    ErrorLog /etc/apache2/logs/bamboo-error.log
    CustomLog /etc/apache2/logs/bamboo-access.log combined
 
    ProxyRequests Off
    ProxyPreserveHost On
    <Proxy *>
       Order deny,allow
       Allow from all
    </Proxy>
 
    ProxyPass / http://localhost:8085/
    ProxyPassReverse / http://localhost:8085/
</VirtualHost>

Setting up Crowd

Lets remove context path from Crowd by following Removing the 'crowd' Context from the Application URL - https://confluence.atlassian.com/x/uAVODQ

To remove the /crowd part from the URL:

1. In <crowd-install>/build.properties set the crowd.url variable to the following:

   # Crowd context root
   crowd.url=http://localhost:8095/
   

   Since you already know the DNS Crowd will be using, you can simply replace crowd.url with http://crowd.mydomain.com

2. Run <crowd-install>/build.sh (UNIX) or <crowd-install>\build.bat (Windows).

3. Change your <crowd-install>/apache-tomcat/conf/server.xml file to have the following Host section configuration

   <Engine defaultHost="localhost" name="Catalina">
        <Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true">
              <Context path="" docBase="../../crowd-webapp" debug="0">
                    <Manager pathname="" />
              </Context>
        </Host>
   </Engine>
   

4. Perform a backup of the crowd.xml file in <crowd-install>/apache-tomcat/conf/Catalina/localhost to another directory.

5. From <crowd-install>/apache-tomcat/conf/Catalina/localhost, remove the crowd.xml file to prevent Tomcat from loading the /crowd context.

6. Append proxyName and proxyPort to <crowd-install>/apache-tomcat/conf/server.xml as per following:

   <Connector URIEncoding="UTF-8"
       acceptCount="100"
       compressableMimeType="text/html,text/xml,application/xml,text/plain,text/css,application/json,application/javascript,application/x-javascript"
       compression="on"
       connectionTimeout="20000"
       disableUploadTimeout="true"
       enableLookups="false"
       maxHttpHeaderSize="8192"
       maxThreads="150"
       minSpareThreads="25"
       port="8095"
       redirectPort="8443"
       sendReasonPhrase="true"
       useBodyEncodingForURI="true"
       proxyName="crowd.mydomain.com"
       proxyPort="80"
       />
   

Changes in Crowd's UI

• 
  

  After the restart, in the Server Settings screen, change the base URL to http://crowd.mydomain.com and add .mydomain.com in SSO domain.

  Take note of SSO cookie name as this will be used later in Bamboo's configuration, appending attribute to crowd.properties

• 
  Create a group in Crowd called bamboo-admin
• 
  Create a user in Crowd that will have access to Bamboo
• 
  Grant membership this users by assigning it to bamboo-admin

Creating an Application in Crowd to be consumed by Bamboo

In case the information below does not cover the necessary steps to create an application, please refer to our official documentation on Adding an Application.

• 
  

  For simplicity, create a Bamboo application with:

  • Application name as bamboo
  • Application password as bamboo
• 
  Provide Bamboo's URL (http://bamboo.mydomain.com) and resolve its IP address
  
• 
  Select the the directories you are going to let this application use for authentication and authorisation.
• 
  Allow all user to authenticate and finish up by Add application in following screen.

Setting up Bamboo

Setting up proxy

Append proxyName and proxyPort to <bamboo-install>/conf/server.xml as per following:

<Connector
    protocol="HTTP/1.1"
    port="8085"
 
    maxThreads="150" minSpareThreads="25"
    connectionTimeout="20000"
    disableUploadTimeout="true"
    acceptCount="100"
 
    enableLookups="false"
    maxHttpHeaderSize="8192"
 
    useBodyEncodingForURI="true"
    URIEncoding="UTF-8"
 
    redirectPort="8443"
     
    proxyName="bamboo.mydomain.com"
    proxyPort="80"
    />

Changes in Bamboo's UI

Lets set up Bamboo to authenticate against Crowd

1. go to Bamboo administration >> Overview >> Security >> User repositories

2. select Users and groups from JIRA or Crowd

   Server URL	http://crowd.mydomain.com
   Application name	bamboo
   Application password	bamboo

crowd.properties in Bamboo

application.name                        bamboo
# application.password                    bamboo
application.login.url                   http://localhost:8095/crowd/console/
 
crowd.server.url                        http://localhost:8095/crowd/services/
 
session.isauthenticated                 session.isauthenticated
session.tokenkey                        session.tokenkey
session.validationinterval              2
session.lastvalidation                  session.lastvalidation
 
bamboo.crowd.cache.minutes              60

#Wed Mar 14 14:24:19 BRT 2018
session.lastvalidation=session.lastvalidation
session.tokenkey=session.tokenkey
crowd.server.url=http\://localhost\:8095/crowd/services/
application.name=bamboo
crowd.base.url=http\://crowd.mydomain.com
session.isauthenticated=session.isauthenticated
application.login.url=http\://localhost\:8095/crowd/console/
session.validationinterval=2
bamboo.crowd.cache.minutes=1
application.password=bamboo

Enabling SSO in Bamboo

Lets enable SSO in Bamboo by following Integrating Bamboo with Crowd - https://confluence.atlassian.com/x/IQU_EQ

To enable single sign-on (SSO), you will configure Bamboo's authentication and access request calls to use Seraph. To configure Seraph-based authentication:

1. Shut down Bamboo.
2. Edit the <bamboo-install>/atlassian-bamboo/WEB-INF/classes/seraph-config.xml

3. Comment out the authenticator node

   <!--<authenticator class="com.atlassian.bamboo.user.authentication.BambooAuthenticator"/>-->
   

4. Uncomment the following tag

   <authenticator class="com.atlassian.crowd.integration.seraph.v25.BambooAuthenticator"/>
   

5. Append the following property to  <bamboo-home>/xml-data/configuration/crowd.properties in Bamboo 7 and earlier, or to  <bamboo-shared-home>/shared/configuration/crowd.properties in Bamboo 8 and later. The value should match the SSO cookie name configured in Crowd under Single Sign-On cookie settings → SSO cookie name.

   cookie.tokenkey=crowd.token_key
   

    

   Please, follow the pattern used by the current crowd.properties configuration file. If the same is described by having equals sign as separator, the above mentioned should be appended. Otherwise, replace equals sign with tab instead.

6. Start Bamboo. Bamboo's authentication and access request calls will now be performed using Seraph.

Troubleshooting

While following this Knowledge Base Article you may come across the following known issue(s):

• Logging in to Crowd Keeps Failing and Gets Redirected Back to The Login Page