Troubleshooting SSO with Crowd

Please follow the steps below to troubleshoot problems with SSO (single sign-on) in Crowd:

  1. Confirm that you can log in to each application with the same username and password.
    • In Crowd, click 'Applications' to view the Application Browser.
    • Click 'View' next to the application.
    • Click the 'Authentication Test' tab and follow these instructions.
  2. Set each application to use centralized SSO authentication, as follows. Ensure that each Atlassian application's WEB-INF/classes/seraph-config.xml file is using the Crowd's com.atlassian.crowd authenticator class. For example in Jira, instead of this:

    <authenticator class="com.atlassian.jira.security.login.JiraSeraphAuthenticator"/>
    


    you should have this:

    <authenticator class="com.atlassian.jira.security.login.SSOSeraphAuthenticator"/>
    

    Please, see our Adding an Application Tutorial page to check the SSO authenticator classes for other applications. 


  3. If you are using a reverse proxy in front of any of the applications, you'll need to make sure that the host header is preserved in the forward. For example, in an Apache reverse proxy, you need to enable the "ProxyPreserveHost" option, and in IIS you need to use "Application Request Routing" to achieve the same.
  4. Once each application is using centralized authentication, confirm you can log in to each application with the same username and password.
  5. Inside of Crowd, ensure that each application is configured to use the same user directory. SSO will not work if you log in to Confluence through one user directory, but Jira through a different user directory, even if the usernames are identical.
  6. Ensure that each application is using the same sub-domain. For example:
    • Jira -> jira.example.com
    • Confluence -> confluence.example.com
    • Crowd -> crowd.example.com

    (info) SSO will only work with applications on the same sub-domain. Why? Crowd uses a cookie to manage SSO and your browser only has access to cookies in the same sub domain, e.g. *.example.com.

    This is the value that you set in the Domain property (e.g. .example.com) for Crowd to enable SSO. This is covered in the documentation on configuring the domain.

  7. Check if the "Require Consistent Client IP Address" is enabled in the Session configuration. If it is, try disabling it and test SSO.

Still having trouble?

If the above steps have not solved your problem, please gather some debugging information as described below before contacting Atlassian support:

  1. In Crowd, go to 'Administration' -> 'Logging & Profiling'. Change the com.atlassian.crowd package to DEBUG.
  2. Replicate the SSO problem you are having.
  3. Please raise a support issue on our Support System, attaching your {CROWD HOME}/logs/atlassian-crowd.log file with the debug information gathered.
RELATED TOPICS

Overview of SSO

Last modified on Oct 15, 2020

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.