Connect Bitbucket to Crowd
You can configure Bitbucket Data Center and Server to use Atlassian Crowd for user and group management, and for authentication and authorization.
Atlassian Crowd is an application security framework that handles authentication and authorization for your web-based applications. With Crowd you can integrate multiple web applications and user directories, with support for single sign-on (SSO) and centralized identity management. See the Crowd Administration Guide.
Connect to Crowd if you want to use Crowd to manage existing users and groups in multiple directory types, or if you have users of other web-based applications.
See also this information about deleting users and groups in Bitbucket.
Connecting Atlassian Bitbucket to your external directory is not sufficient to allow your users to log in to Bitbucket. You must explicitly grant them access to Bitbucket in the global permission screen.
We recommend that you use groups instead of individual accounts when granting permissions. However, be careful not to add more users to those groups that your Bitbucket license allows. If the license limit is exceeded, your developers will not be able to push commits to repositories, and Bitbucket will display a warning banner. See this FAQ.
On this page:
Find out how easy, scalable and effective it can be with Crowd Data Center!
See centralized user management.
To connect Bitbucket to Crowd:
- Log in as a user with 'Admin' permission.
- In the Bitbucket administration area, click User Directories (under 'Accounts').
- Click Add Directory and select Atlassian Crowd.
- Enter settings, as described below.
- Test and save the directory settings.
- Define the directory order, on the Directories tab, by clicking the blue up- and down-arrows next to each directory. The directory order has the following effects:
- The order of the directories is the order in which they will be searched for users and groups.
- Changes to users and groups will be made only in the first directory where the application has permission to make changes.
- (Optional) To allow Crowd users to login via SSO:
- Navigate to Applications and select the Bitbucket application that was added.
- In the Options tab, select Allow to generate user tokens.
Server settings
Setting | Description |
---|---|
Name | A meaningful name that will help you to identify this Crowd server amongst your list of directory servers. Examples:
|
Server URL | The web address of your Crowd console server. Examples:
|
Application Name | The name of your application, as recognized by your Crowd server. Note that you will need to define the application in Crowd too, using the Crowd administration Console. See the Crowd documentation on adding an application. |
Application Password | The password which the application will use when it authenticates against the Crowd framework as a client. This must be the same as the password you have registered in Crowd for this application. See the Crowd documentation on adding an application. |
Crowd permissions
Bitbucket offers Read Only permissions for Crowd directories. The users, groups and memberships in Crowd directories are retrieved from Crowd and can only be modified from Crowd. You cannot modify Crowd users, groups or memberships using the Bitbucket administration screens.
For local Bitbucket directories, Read Only and Read/Write permissions are available.
Advanced settings
Setting | Description |
---|---|
Enable Nested Groups | Enable or disable support for nested groups. Before enabling nested groups, please check to see if the user directory or directories in Crowd support nested groups. When nested groups are enabled, you can define a group as a member of another group. If you are using groups to manage permissions, you can create nested groups to allow inheritance of permissions from one group to its sub-groups. |
Enable Incremental Synchronization | Enable or disable incremental synchronization. Only changes since the last synchronization will be retrieved when synchronizing a directory. Note that full synchronization is always executed when restarting the application. |
Synchronization Interval (minutes) | Synchronization is the process by which the application updates its internal store of user data to agree with the data on the directory server. The application will send a request to your directory server every x minutes, where 'x' is the number specified here. The default value is 60 minutes. |
Single sign-on (SSO) with Crowd
Once the Crowd directory has been set up, you can enable Crowd SSO integration by adding the following setting to shared/bitbucket.properties
in the home directory (create this file if it doesn't exist yet):
# Whether SSO support should be enabled or not. Regardless of this setting SSO authentication
# will only be activated when a Crowd directory is configured in Bitbucket that is configured
# for SSO.
plugin.auth-crowd.sso.enabled=true
You'll also need to configure the Bitbucket application in Crowd to allow authentication with user tokens. In Crowd, navigate to Applications and select the linked Bitbucket application. From the Options tab, select the Allow to generate user tokens checkbox.
Please note that you will need to correctly set up the domains of the applications involved in SSO. See Crowd SSO Domain examples.
In addition to this property, Crowd SSO integration can be tuned using the system properties described on Bitbucket config properties.
Using multiple directories
When Bitbucket is connected to Crowd you can map Bitbucket to multiple user directories in Crowd.
For Crowd 2.8, and later versions, there are two different membership schemes that Crowd can use when multiple directories are mapped to an integrated application, and duplicate user names and group names are used across those directories. The schemes are called 'aggregating membership' and 'non-aggregating membership' and are used to determine the effective group memberships that Bitbucket uses for authorization. See Effective memberships with multiple directories for more information about these two schemes in Crowd.
Note that:
- Authentication, for when Bitbucket is mapped to multiple directories in Crowd, only depends on the mapped groups in those directories – the aggregation scheme is not involved at all.
- For inactive users, Bitbucket only checks if the user is active in the first (highest priority) directory in which they are found to determine authentication. The membership schemes described above are not used when Crowd determines if a user should have access to Bitbucket.
- When a user is added to a group, they are only added to the first writeable directory available, in priority order.
- When a user is removed from a group, they are only removed from the group in the first directory the user appears in, when non-aggregating membership is used. With aggregating membership, they are removed from the group in all directories the user exists in.
An administrator can set the aggregation scheme that Bitbucket uses when integrated with Crowd. Go to the Directories tab for the Bitbucket instance in Crowd, and check Aggregate group memberships across directories to use the 'aggregating membership' scheme. When the checkbox is clear 'non-aggregating membership' is used.
Note that changing the aggregation scheme can affect the authorization permissions for your users, and how directory update operations are performed.