Child pages
  • Single Sign-on Integration with JIRA and Confluence
Skip to end of metadata
Go to start of metadata
Icon

The content on this page relates to platforms which are not supported for Confluence and JIRA. Consequently, Atlassian can not guarantee providing any support for these solutions. Please be aware that this material is provided for your information only and using it is done so at your own risk. Note that Crowd, as an Atlassian product, is supported.

A Single Sign On system allows users to use a single login for multiple applications. You can integrate JIRA and Confluence with the following SSO systems:

  • Crowd (Recommended) - Atlassian's single sign-on, authentication, authorisation, application provisioning and identity management framework

Additionally, people have reported some degree of success integrating the following SSO systems with JIRA and/or Confluence:

Writing a custom authenticator

JIRA and Confluence integrate with SSO system Seraph, the Atlassian authentication library. Seraph is a very simple, pluggable J2EE web application security framework developed by Atlassian and used in our products.

Seraph allows you to write custom authenticators which will accept the login creditentials of your existing single sign-on system.

A few tips for writing your own custom authenticator for Confluence:

  • For Confluence 2.2 and above you must extend com.atlassian.confluence.user.ConfluenceAuthenticator instead of the Seraph DefaultAuthenticator.
  • The authenticator should not be a plugin. It should be placed in the class path by putting it in WEB-INF/classes or as a jar in WEB-INF/lib
  • The authenticator should have a public constructor that takes no arguments.
  • Dependency injection via setters or auto-wiring by name is not available to authenticators. Use ContainerManager.getInstance(...) instead.
  • The authenticators are constructed before beans are available via ContainerManager.getInstance(...), so the getInstance method needs to be called at runtime and not in the constructor.

Existing custom authenticators

Check out these examples:

There has been discussion of integrating with Siteminder on the mailing list that may be applied to JIRA integration. All third-party code must be treated with caution - always backup your Confluence instance before use. If you create a custom SSO plugin and would like to contribute it to the user community, please let us know on a support ticket.

Discussion Forums

Seraph Discussion Forums

Using Confluence and JIRA without SSO

Confluence can also delegate user management to use JIRA logins , but this will not provide you with SSO.

19 Comments

  1. Have some questions about custom authenticators written for use with an SSO:

    • As a best practice, what password should be populated in the user's password field if you are autoprovisioning (automatically creating) users as part of the authenticator that is using an SSO for authentication?
      • It seems that it could be a possible security risk to leave password null or even to assign any arbitrary value to it (unless it was very unique).
      • Leaving password null appears to be a problem (issue CONF-9117) with migration of os_user to atlassian-user.
    • What is the best practice to avoid the issue of two different nodes in a cluster both checking at the same time whether a user exists and automatically provisioning the user at the same time (which would cause a unique constraint exception to be thrown from the DB driver)?
    • Should there be any preference given to overriding/implementing login() vs. getUser() in the custom authenticator for this purpose? (getUser() gets called an awful lot, so for sure if you use that, you'll want to attempt to just get and return the user from session first.)
    • Are there any suggestions as whether UserManager or UserAccessor should be used for autoprovisioning users (or creating them in general) for each of the different versions of confluence (both version#, whether using massive, and whether using os_user vs. user-atlassian schema)?
  2. Is there a possibility to use SSO from a Microsoft ISA server for Jira and Confluence?

  3. We are using Confluence 2.7 with Siteminder for SSO.  How can I remove the "password" link in Preferences > Edit Profile so that users don't have the ability to change their password?

    1. Administration -> General Configuration -> Security and Privacy -> External User Management set to On

      1. Thanks for the response Roberto.  I don't want to turn External User Management on because I'd still like to manage my groups from within Confluence.  I was wondering how to remove the actual "password" link from the edit profile page.  I managed to find confluence-2.7.war/users/changemypassword.vm, but I'm not sure how to remove the link from the left-hand nav bar. 

        1. In that same vein - how can I remove the 'Forgot Password?' Link from the login page?

  4. CAS integration with the JASIG CAS Client for Java 3.1 (Confluence)

    http://www.ja-sig.org/wiki/display/CASC/Configuring+Confluence+with+JASIG+CAS+Client+for+Java+3.1

    I'm working on the JIRA integration guide.

  5. I can also confirm a successful test setup using the Confluence 2.10.3  + soulwing CAS client http://www.soulwing.org/confluence-cas.jsp +  rubycas-server http://code.google.com/p/rubycas-server

    rubycas-server took some massaging to get running, but has been working fine since then.  The soulwing CAS client is also working like a champ so far.

  6. TechTime Initiative Group, an Atlassian Expert in New Zealand has been providing a solution to do NTLM authentication with Confluence and Jira for over 6 years. Though one can argue that this is not an SSO solution but merely an auto-login one, it works well in Windows-based environments.

    We have over 60 customers successfully using this solution in New Zealand, Australia, Switzerland, Finland, Norway, Sweeden, France, Germany, Netherlands, Slovenia, Czech Republic, Turkey, Russia, Latvia, the UK and the USA both in NTLMv2 and NTLMv1 environments with and without Crowd in the backend.

    The NTLM Authenticator is delivered as a jar file and instructions how to deploy it to Atlassian Jira and/or Confluence to work in conjunction with IOPlex Jespa to perform NLTM authentication in Windows environment.

    The cost is one-off NZ$150 (plus fees for Jespa license payable to IOPlex). We do sell bundles that include IOPlex Jespa license.

    If you need it, the trial version is available from our TurningRight website. Our NTLM Authenticators for Jira and Confluence support the latest versions of both applications.

    We are currently working on moving it to Marketplace (Jan/Feb 2014) and as byproduct eventually making it support the rest of Atlassian tools (planned for 2nd quarter of 2014)

  7. Note: the link titled "Shibboleth Plugin" should be now titled "Confluence HTTP Authenticator". Previously, it was called "Confluence Shibboleth Authenticator" and "Shibboleth Authenticator for Confluence". It was never really Shibboleth-specific. It is a fairly generic HTTP(S) SSO authenticator with some cool features.

  8. The hyperlink 'mailing list' is not working.

  9. A couple years ago we built a kerberos plugin for jira/confluence. The plugin is a version 2 plugin (you dont have to restart the application) and is built with a test tool for troubleshooting and also comes with help text to get you all up and running quickly. We have reached a point where we are thinking of selling ore providing the plugin for free. If there`s an interest for the plugin to be provided in any way, please send me an email at kerberospluginforjiraandconfluence@kantega.no

  10. The plugin has just been released to Atlassian Marketplace. We wish to thank all the people that has provided useful feedback in the testing process. Feel free to test the plugin from Atlassian Marketplace from now on. Feedback is highly appreciated!

  11. We've also just released a Plugin which supports SAML 2.0 with JIRA & Confluence. Originally our sister companies have used it internally until we decided that it may be a useful product for a wider audience.

    Certainly feel free to test it via the Marketplace - if you want to purchase let me know c.reichert@resolution.de and I create you a 50% discount code as an early adoptor. 

    Cheers, 

        Chris