Integrating Crowd with Atlassian Bamboo

This page tells you how to connect Atlassian's Bamboo integration server to one or more directory servers through Crowd.

Currently Crowd supports centralized authentication and single sign-on for Bamboo versions 1.2.2 and later.

Please check that this documentation applies to your version of Crowd

Please check the Crowd release number in this documentation against your version of Crowd. If you are using a different version of Crowd, you can find the appropriate documentation under 'Previous Versions' on the Crowd documentation homepage.

Prerequisites

Due to incompatible atlassian-user libraries, Bamboo releases prior to 1.2.2 are not compatible with latest version of Crowd. Please upgrade to the latest version of Bamboo before attempting to integrate Crowd.

Do not deploy multiple Atlassian applications in a single Tomcat container.

Deploying multiple Atlassian applications in a single Tomcat container is not supported. We do not test this configuration and upgrading any of the applications (even for point releases) is likely to break it. There are also a number of known issues with this configuration. See this FAQ for more information.

There are also a number of practical reasons why we do not support deploying multiple Atlassian applications in a single Tomcat container. Firstly, you must shut down Tomcat to upgrade any application and secondly, if one application crashes, the other applications running in that Tomcat container will be inaccessible.

Finally, we recommend not deploying any other applications to the same Tomcat container that runs Crowd, especially if these other applications have large memory requirements or require additional libraries in Tomcat's lib subdirectory.

  1. Download and install Crowd. Refer to the Crowd installation guide for instructions. We will refer to the Crowd root folder as CROWD.
  2. Download and install Bamboo (version 1.2.2 or later). Refer to the Bamboo installation guide for instructions. We will refer to the Bamboo root folder as BAMBOO. For the purposes of this document, we will assume that you have used the Bamboo distribution (not EAR-WAR) (ie. the easier) installation method of Bamboo. If you need to install Bamboo as an EAR/WAR, simply explode the EAR/WAR and make the necessary changes as described below, then repackage the EAR/WAR.
  3. Run the Bamboo Setup Wizard, as described in the Bamboo documentation. During this setup process, you will define the Bamboo administrator's username and password. It is easier to do this before you integrate Bamboo with Crowd.
  4. After you have installed and set up Bamboo, shut Bamboo down before you begin the integration process described below.

Step 1. Configuring Crowd to Talk to Bamboo

1.1 Prepare Crowd's Directories/Groups/Users for Bamboo

  1. Create a Crowd directory: The Bamboo application will need to authenticate users against a directory configured in Crowd. You will need to set up a directory in Crowd for Bamboo. For more information on how to do this, see Adding a Directory. We will assume that the directory is called Crowd Bamboo Directory for the rest of this document. It is possible to assign more than one directory for an application, but for the purposes of this example, we will use Crowd Bamboo Directory to house Bamboo users.
  2. Add users and groups: You can either import them from your Bamboo deployment or add them manually.
    • Importing users and groups from Bamboo: If you have an existing Bamboo deployment and would like to import existing users and groups into Crowd, use the Bamboo Importer tool by navigating to Users > Import Users > Atlassian Importer. Select 'Bamboo' as the Atlassian Product and the Crowd Bamboo Directory as the directory into which Bamboo users will be imported. For details please see Importing Users from Atlassian Bamboo. (info) If you are going to import users into Crowd, you need to do this now, before you proceed any further.
    • Adding users and groups manually: Bamboo needs an administrative group to exist in the directory in order to access the administration features. You can also create an optional additional group for other users. Create the groups in the Crowd Bamboo Directory:
      • bamboo-admin
      • bamboo-user (optional)
        See the documentation on Creating Groups for more information on how to define these groups.
      • Create at least one user in the Crowd Bamboo Directory and assign the user(s) to both the bamboo-user and the bamboo-admin groups. The Crowd documentation has more information on creating groups, creating users and assigning users to groups.

1.2 Define the Bamboo Application in Crowd

Crowd needs to be aware that the Bamboo application will be making authentication requests to Crowd. We need to add the Bamboo application to Crowd and map it to the Crowd Bamboo Directory:

  1. Log in to the Crowd Administration Console and navigate to Applications > Add Application.
  2. Complete the 'Add Application' wizard for the Bamboo application. See the instructions. (info) The Name and Password values you specify in the 'Add Application' wizard must match the application.name and application.password that you will set in the crowd.properties file. You can find the crowd.properties file in either Bamboo/webapp/WEB-INF/classes/ (Bamboo 3.1 and earlier) or $BAMBOO_HOME/xml-data/configuration (Bamboo 3.2 or later). See Step 2 below.

1.3 Specify which Users can Log In to Bamboo

Once Crowd is aware of the Bamboo application, Crowd needs to know which users can authenticate (log in) to Bamboo via Crowd. As part of the 'Add Application' wizard, you will set up your directories and group authorizations for the application. If necessary, you can adjust these settings after completing the wizard. Below are some examples.

You can either allow entire directories to authenticate, or just particular groups within the directories. In our example, we will allow the bamboo-user and bamboo-admin groups within the Crowd Bamboo Directory to authenticate.

If you are not using a bamboo-user group as a security restriction, you will need to set 'Allow all to authenticate' to 'true' when mapping the directory, otherwise only bamboo-admin group members will be able to log in to Bamboo.

1.4 Specify the Address from which Bamboo can Log In to Crowd

As part of the 'Add Application' wizard, you will set up Bamboo's IP address. This is the address which Bamboo will use to authenticate to Crowd. If necessary you can add a hostname, in addition to the IP address, after completing the wizard. See Specifying an Application's Address or Hostname.

Step 2. Configuring Bamboo to Talk to Crowd

Before you begin Step 2

  • If you are using Bamboo 3.2 or later, please refer to the Bamboo instructions on Integrating Bamboo with Crowd and skip Step 2 (and all sub-steps) on this page.
  • If your Bamboo version is earlier than 1.2.2, please upgrade to the latest stable version of Bamboo.

2.1 Install the Crowd Client Libraries into Bamboo

Bamboo needs Crowd's client libraries in order to be able to delegate user authentication to the Crowd application. In some cases, you will need to modify the Bamboo application, which is stored in BAMBOO/webapp.

  1. Please check your versions of Crowd and Bamboo:
    • If you are using Bamboo 1.2.2 to 1.2.4, you will need to update the Bamboo libraries as described in this step below.
    • If you are using Bamboo 2.0 or later, the Crowd client libraries and crowd.propertiesfile are included in the Bamboo 2.0 installation download. Please check if your version of Crowd is the same version as the Crowd client library included in the Bamboo 2.x.x installation download (e.g. Bamboo 2.0 currently includes the client library for Crowd 1.3).
      • If the Crowd library versions are different, you will need to update the Bamboo libraries as described in this step below.
      • If the Crowd library versions are the same, you can skip this step.
    • Please, copy CROWD/client/crowd-integration-client-X.X.X.jar into BAMBOO/atlassian-bamboo/WEB-INF/lib directory.
    • If you are using the Crowd WAR distribution, then you will need to get the CROWD client libraries from the Crowd distribution, available on our download site.
    • Copy the Crowd client libraries and configuration files to Bamboo:

      Copy From

      Copy To

      CROWD/client/crowd-integration-client-X.X.X.jar

      BAMBOO/webapp/WEB-INF/lib   (No need to copy any crowd .jar files over for the latest Bamboo versions (after 4.0) as they already contain the needed jar files to work with Crowd)

      CROWD/client/conf/crowd.properties

      BAMBOO/webapp/WEB-INF/classes (Bamboo 3.1 and earlier) or $BAMBOO_HOME/xml-data/configuration (Bamboo 3.2 or later)

      CROWD/client/conf/crowd-ehcache.xml

      BAMBOO/webapp/WEB-INF/classes (Bamboo 3.1 and earlier) or $BAMBOO_HOME/xml-data/configuration (Bamboo 3.2 or later)

  2. For Bamboo 1.2.4 only: You will need to remove the seraph-0.7.23.jar file from Bamboo's WEB-INF/lib/ directory and replace it with the following file:
    http://repository.atlassian.com/maven2/com/atlassian/seraph/atlassian-seraph/0.10/atlassian-seraph-0.10.jar
    (Note: the 0.10 version of the Seraph JAR is newer than 0.7.23.)

2.2 Edit Bamboo's crowd.properties file

Configure the Bamboo application's properties to determine how Crowd will interact with Bamboo.

  1. Edit crowd.properties found in BAMBOO/webapp/WEB-INF/classes (Bamboo 3.1 and earlier) or $BAMBOO_HOME/xml-data/configuration(Bamboo 3.2 or later). Change the following properties:

    Key

    Value

    application.name

    bamboo
    The application.name and application.password must match the Name and Password that you specified when defining the application in Crowd (see Step 1 above).

    application.password

    The application.name and application.password must match the Name and Password that you specified when defining the application in Crowd (see Step 1 above).

    crowd.server.url

    http://localhost:8095/crowd/services/
    If your Crowd server's port is configured differently from the default (8095), set it accordingly.

    session.validationinterval

    Set to 0, if you want authentication checks to occur on each request. Otherwise set to the number of minutes between requests to validate if the user is logged in or out of the Crowd SSO server. Setting this value to 1 or higher will increase the performance of Crowd's integration.

You can read more about optional settings in the crowd.properties file.

2.3 Configure Bamboo to use Crowd's Authenticator

Now that the Crowd client libraries exist, we need to configure Bamboo to use them.

  1. Edit the atlassian-user.xml file (found in BAMBOO/webapp/WEB-INF/classes (Bamboo 3.1 and earlier) or $BAMBOO_HOME/xml-data/configuration(Bamboo 3.2 or later)) so that the contents of the file is:

    <atlassian-user>
        <repositories>
    
            <crowd key="crowd" name="Crowd Repository"/>
    
        </repositories>
    </atlassian-user>
    
  2. At this stage, Bamboo is set up for centralized authentication. If you wish to enable single sign-on (SSO) to Bamboo, refer to section 2.5 of this document.

2.4 Configure External User Management in Bamboo

For Bamboo to integrate successfully with Crowd, Bamboo's 'External User Management' option needs to be:

  • Checked if you are using an LDAP directory with Crowd and you don't have write-access in LDAP.
  • Unchecked if you are using internal Crowd directories, or Crowd with LDAP where you do have write-access.
  • Unchecked if you are using a Delegated Authentication directory.

More information:

  • Please ignore the wording on some versions of the Bamboo screens, which may imply that you should check this option.
  • In later versions of Bamboo, the option will be called 'Read-Only External User Management'.
  • Refer to the Bamboo documentation for full details of Bamboo's external management configuration.


2.5 (Optional) Enable Single Sign-On

SSO is optional

Single sign-on (SSO) is optional when integrating Bamboo and other Atlassian products with Crowd. To use centralized authentication without SSO, skip the steps below.

To enable single sign-on (SSO), you will configure Bamboo's authentication and access request calls to use Seraph. To configure Seraph-based authentication:

  1. Edit the \BAMBOO\webapp\WEB-INF\classes\seraph-config.xml
  2. Comment out the authenticator node :

    <!--<authenticator class="com.atlassian.bamboo.user.authentication.BambooAuthenticator"/>-->
    

    Please, uncomment the authenticator "com.atlassian.crowd.integration.seraph.v25.BambooAuthenticator":

    <!-- 
    If you're authenticating against a Crowd server you can use this authenticator for single sign-on.
    Enable it after configuring your Crowd properties through user management and restart Bamboo. 
    It does not support Crowd property changes at runtime. If you need to switch back to local users,
    revert the change and restart Bamboo again.
     -->
    <authenticator class="com.atlassian.crowd.integration.seraph.v25.BambooAuthenticator"/>
    

    Bamboo's authentication and access request calls will now be performed using Seraph.


2.6 (Optional) Tune the Cache

When using the atlassian-user and Crowd framework together with Bamboo, it is highly recommended that caching be enabled. Multiple redundant calls to the atlassian-user framework are made on any given request. These results can be stored locally between calls by enabling caching via the Crowd Options menu. (Note that this caching in the Crowd application is enabled by default.)

Bamboo will obtain all necessary information for the period specified by the cache configuration. If a change or addition occurs in Crowd to users, groups and roles, these changes will not be visible in Bamboo until the cache expires for that specific item (i.e. for the particular user, group or role).

(info) The default value for the application cache is 5 minutes (300 seconds). To increase the performance of your application, consider changing the cache value to one or two hours (3600 or 7200 seconds).

See Crowd in Action

Welcome to Bamboo with Crowd!

  • Users belonging to the bamboo-user group should now be able to log in to Bamboo. Try adding a user to the group using Crowd — you should be able to log in to Bamboo using this newly created user. That's centralized authentication in action!
  • If you have enabled SSO, you can try adding the Crowd Bamboo Directory and bamboo-admin group to the crowd application (see Mapping a Directory to an Application and Specifying which Groups can access an Application). This will allow Bamboo administrators to log in to the Crowd Administration Console. Try logging in to Crowd as a Bamboo administrator, and then point your browser at Bamboo. You should be logged in as the same user in Bamboo. That's single sign-on in action!
Last modified on Jul 22, 2022

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.