Crowd SSO 2.0

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

Single sign-on (SSO) authentication allows you to use a single set of credentials to access multiple applications. The SSO service authenticates you for all the application you’ve been given rights to and eliminates any further prompts for authentication during the same session. Crowd’s SSO 2.0 allows you to access Jira, Jira Service Desk, Bitbucket, and Confluence across different domains both Server and Data Center with one common login page.



The SSO 2.0 functionality is available with Crowd Data Center

Once you configure SSO 2.0 in Crowd Data Center, you can use it to access Server and Data Center applications. If you are not a Crowd Data Center license holder, you can create your evaluation license for Crowd Data Center and take Crowd for a spin. You can get your free Crowd Data Center evaluation license from Atlassian license evaluation page.

Before you begin

  • To enable SSO 2.0 for your application, you must perform configuration on the Crowd side and on the application side.
  • Make sure you're using Crowd version 3.4 or later. You can download the latest version of Crowd here.
  • You must upgrade the Crowd and SAML Single Sign-On 2.0 plugin for every application for which you want to use SSO 2.0. Go to Atlassian Marketplace.
  • Only users existing in Crowd user directory can use SSO 2.0. Make sure that users from your application's individual user directories also exist in Crowd user directory. To avoid any potential conflicts, mapping of user directories on the application side and Crowd must be identical.
  • To access their applications using SSO 2.0 users must have permission to access Crowd as well. It’s enough to give your users basic Crowd log in rights. For security reasons, we advise to check if your users don’t fall into the Crowd admin group.
  • From the Crowd and SAML Single Sign-On 2.0 plugin configuration section in your application, copy the application details.

    Learn how to do this...

    1. In your application, go to Configuration > System > SSO 2.0.

    2. Copy the following data to clipboard. You will need to copy this in Crowd SSO 2.0 configuration later.

    • Assertion Consumer Service URL


To enable SSO 2.0 in Crowd:

  1. In Crowd top navigation, click Applications.
  2. Select the application you want to perform the SSO configuration for.

  3. In the application settings, click the SSO tab.

  4. Select the SSO Enabled checkbox.

  5. Copy the Application Details from your Crowd and SAML Single Sign-On 2.0 configuration section in your application.

    Show me how to do this...

    1. In your application, go to Configuration > System > SSO 2.0.

    2. Copy the following data to clipboard.

    • Assertion Consumer Service URL
    3.Paste copied data to the Application details section in Crowd SSO tab for your application.
  6. From the Crowd SSO tab, copy the following SSO information:
    • SSO issuer
    • IdP SSO URL
    • Certificate



  7. Paste the copied SSO information to your SSO 2.0 plugin for your application.

    See an example...

    In Jira:

    1. Go to > System SSO 2.0.

    2. Paste the copied SSO information to the relevant fields:

    Crowd's certificate is by default valid for 5 years. After that time, you'll have to regenerate the certificate and manually copy it over to individual applications for which you want to use SSO 2.0. In case of a security breach, for safety reasons we suggest that you regenerate the certificate and copy it to your applications immediately. For information on how to reset the certificate, see Crowd REST API Reference.

    Remember that a regenerated certificate needs to be again provided in all application you want to use SSO with.

  8. Click Save


Next steps

  • To access their applications using SSO 2.0 users must also have the permission to access Crowd. It’s enough to give your users basic Crowd login rights. We advice taking extra care when copying permissions from your application to Crowd so that the group does unauthorized users don't get admin permissions.
  • You can test SSO 2.0 before enabling it for all users.

    How to do it...

    1. In you application configuration, go to the SSO 2.0 plugin settings.

    2. For Crowd SSO 2.0 behaviour logging in mode, select Use Crowd SSO 2.0 as secondary authentication.

    This will allow you to test if the configuration works properly before redirecting all your users to the new flow.

    3. Save configuration.

    Once the settings are saved, you can try to log in as one of the users using the link provided in the Crowd SSO 2.0 behavior configuration under the secondary authentication option. See the screenshot.


    The link redirects you through https://jira.yourdomain.com/plugins/servlet/external-login to the common login page provided by Crowd SSO 2.0 that will be used for every user to access Jira, Confluence, Bitbucket or any other application connected and configured in Crowd SSO 2.0 once Crowd SSO 2.0 is selected as primary authentication.

    Once you can log in successful through that new common login page from Crowd, you can go back to your application configuration in section SSO 2.0 and change the settings for Crowd SSO 2.0 behavior to: Use Crowd SSO 2.0 as primary authentication and save your configuration.
    From now on everyone using this application will log in through Crowd SSO 2.0 common login screen.



Last modified on Dec 11, 2019

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.