Closed smoitozo closed 7 years ago
scalesm
commented
10 years ago I am not sure I follow the part about jira and crowd, but yes you need the nordunet module. It goes in the %crowd-home%/plugins. folder. Note that this folder is in Crowd's HOME folder and not the app folder.
I think the documentation wiki pages are open for anyone to publish to.
smoitozo
commented
10 years ago Thank you for the quick response and the clue about the plugins folder, I was looking in the wrong place.
We have a number of non-Atlassian SAML-enabled applications in our environment. I am attempting to bridge our Atlassian products into our SAML environment by plugging instances of Confluence, JIRA, Stash, Bamboo, etc into a SAML-enabled Crowd.
I have Crowd working with SAML using the shibboleth-filter module and can log into the Crowd console via SAML. I got that working without having nordunet-sso in the plugins directory. I have since built the nordunet-sso plugin and installed it in Crowd and verified that it's being loaded.
However, when I connect JIRA to Crowd I'm not seeing any indication that SSO is working. I just get dropped on the JIRA login page. I have followed the instructions from Atlassian and verified that centralized authentication is working (entering user/pass into JIRA to be authenticated against Crowd, when the user is a Crowd user). However I cannot seem to get JIRA to redirect the user to Crowd for authentication. Editing the seraph-conf.xml file doesn't seem to make the difference either.
So, I guess I'm at the point where I am willing to pay someone for an hour or two of consulting. Do you know anyone I can talk with in the next day or two? I'm on US/Eastern time.
scalesm
commented
10 years ago You are almost there. I don't know if there is a better way, but I followed an example by a fellow poster. In the "JIRA\atlassian-jira\ folder, edit the "default.jsp" file.
Change "response.sendRedirect(request.getContextPath() + "/secure/MyJiraHome.jspa");"
to "response.sendRedirect("https://YOURCROWDSERVERURL/crowd/plugins/servlet/ssocookie?redirectTo=https%3A%2F%2FYOURJIRASERVERURL/secure/Dashboard.jspa");"
Obviously edit the 2 server urls in the above.
This works for JIRA. I believe the seraph-config.xml redirect works for CONFLUENCE, I haven't found a great way to do it in STASH and I forget what I did for BAMBOO.
jmleppala
commented
10 years ago If you do not get logged automatically into JIRA with the cookie created when logging into Crowd make sure you have enabled the SSOSeraphAutneticator for JIRA described in section 2.2 of https://confluence.atlassian.com/display/CROWD/Integrating+Crowd+with+Atlassian+JIRA. The nordunet-sso module provides a servlet which makes sure that the cookie is created without the user having to deal with crowd but is not a necessary part for the SSO to work
smoitozo
commented
10 years ago Thank you both for responding.
@scalesm I've made this change to atlassian-jira/default.jsp and can now see the browser being bounced off the crowd ssocookie servlet. However, when I get back to JIRA I'm presented with the login screen. Using SAML Tracer I can see all the different requests and I can see that the ssocookie servlet is setting the crowd.token_key cookie.
@jmleppala I've been following the instructions on that URL. Here's the relevant part of my seraph-config.xml
<!-- CROWD:START - If enabling Crowd SSO integration uncomment the following SSOSeraphAuthenticator and comment out the JiraSeraphAuthenticator below --> <authenticator class="com.atlassian.jira.security.login.SSOSeraphAuthenticator"/> <!-- CROWD:END --> <!-- CROWD:START - The authenticator below here will need to be commented out for Crowd SSO integration --> <!-- <authenticator class="com.atlassian.jira.security.login.JiraSeraphAuthenticator"/> --> <!-- CROWD:END -->
I've even tried fiddling with the login.url and link.login.url init-params to no avail.
I'm stuck.
jmleppala
commented
10 years ago If you are using proxies this link might be of some help https://confluence.atlassian.com/display/CROWD/Debugging+SSO+in+environments+with+Proxy+Servers
smoitozo
commented
10 years ago Thanks for all the responses! I have it working now. It was a combination of hits and tips provided by you and the correction of an erroneous server.xml connector configuration and some incorrect information in the crowd.properties file. Once those were corrected things started working properly.
A followup question, how do you deal with administrator access to Confluence or JIRA. When I log into Confluence or JIRA and try to access the administrative functions I get asked for a password. However, since I've authenticated against my SAML IdP and Crowd doesn't know my password, there is not way for me to authenticate and access the administrator pages.
How do you deal with this?
jmleppala
commented
10 years ago The unsafe way is to disable the secure sessions from security settings but the preferred way is to set a password in Crowd for the users who need to do administrative work in Confluence and/or JIRA.
smoitozo
commented
10 years ago Thanks, it makes good sense to me to set a password in Crowd. Wondering why I didn't think of that; probably staring at it too long.
I did run into another issue I thought I'd ask you about. I've noticed that when a person that Crowd does not yet know about logs in (via SAML) after requesting access to a connected application (SP-initiated login) the module provisions their account but then everything seems to fall apart with Crowd complaining that they don't have access to the application. Unfortunately this seems to happen before they have been granted any group memberships. I have to be missing something.
roozbehk
commented
10 years ago Hello,
I am unable to compile the plugin, it seems the plugin is asking for
and the build version for shibboleth-filter-config is 1.1 . can you tell me if i am doing anything wrong? Thank you.
smoitozo
commented
10 years ago Here's what I did to compile shibboleth-filter, shibboleth-filter-config, and nordunet-sso.
Be sure that {PATH_TO}/atlassian-plugin-sdk-Y.Y.YY/bin and {PATH_TO}/atlassian-plugin-sdk-Y.Y.YY/apache-maven/bin are in your path.
- Download the shibboleth-filter and shibboleth-filter-config sources
- Compile the shibboleth-filter-config
cd {PATH_TO}/shibboleth-filter-config
atlas-runThe above commands will create a the directory {PATH_TO}/shibboleth-filter-config/target and place the compiled .jar file into it.
When you attempt to build the shibboleth-filter the process may error out because it cannot locate the shibboleth-filter-config dependency. If this happens you will need to install the shibboleth-filter-config dependency using the following maven command.
{PATH_TO}/atlassian-plugin-sdk-Y.Y.YY/apache-maven/bin/mvn install:install-file -DgroupId=com.eduix.crowd -DartifactId=shibboleth-filter-config -Dversion=1.1 -Dpackaging=jar -Dfile={PATH_TO}/shibboleth-filter-config/target/shibboleth-filter-config-1.1.jarcd {PATH_TO}/shibboleth-filter
atlas-runThe above commands will create a the directory {PATH_TO}/shibboleth-filter/target and place the compiled .jar file into it.
- Download the nordunet-sso plugin source from https://github.com/Eduix/crowd-shibboleth-module
- Compile the nordunet-sso
cd {PATH_TO}/nordunet-sso
atlas-runThe above commands will create a the directory {PATH_TO}/nordunet-sso/target and place the compiled .jar file into it.
roozbehk
commented
10 years ago @smoitozo Thank you so much for detailed instruction. however, I am still having trouble building successfully the nordunet-sso plugin .
' in repository central (http://repo1.maven.org/maven2)
[INFO] ------------------------------------------------------------------------
[ERROR] BUILD ERROR
[INFO] ------------------------------------------------------------------------
[INFO] Failed to resolve artifact.
Missing:
----------
1) com.eduix.crowd:shibboleth-filter-config:jar:1.0
Try downloading the file manually from the project website.
Then, install it using the command:
mvn install:install-file -DgroupId=com.eduix.crowd -DartifactId=shibboleth
-filter-config -Dversion=1.0 -Dpackaging=jar -Dfile=/path/to/file
Alternatively, if you host your own repository you can deploy the file there:
mvn deploy:deploy-file -DgroupId=com.eduix.crowd -DartifactId=shibboleth-f
ilter-config -Dversion=1.0 -Dpackaging=jar -Dfile=/path/to/file -Durl=[url] -Dre
positoryId=[id]
Path to dependency:
1) net.nordu.crowd:nordunet-sso:atlassian-plugin:1.0
2) com.eduix.crowd:shibboleth-filter-config:jar:1.0
----------
1 required artifact is missing.
for artifact:
net.nordu.crowd:nordunet-sso:atlassian-plugin:1.0have you tried building against the latest shibboleth-filter-config 1.1 . I compiled both shibboleth-filter-config & shibboleth-filter. but having trouble with the plugin.
Maybe I am missing something but the pom.xml has a dependency for shibboleth-filter-config 1.0 and the build complains that artifact 1.0 is missing. changing the dependency to 1.1 in the file yields another error. is there a way i can get a hold of nordunet-sso jar file or shibboleth-filter-config 1.0. Again thanks for responding.
roozbehk
commented
10 years ago for those that are using this git repo to compile the plugin, it wont work , because the plugin needs the 1.0 version of the shibboleth-filter-config. I was able to find a copy of the source file in the wiki https://wiki.nordu.net/display/NORDUwiki/Crowd+Shibboleth+Module
using the source file, you can compile the 1.0 and build the plugin.
jmleppala
commented
10 years ago Looks like I've forgot to change the shibboleth-filter dependency version in the nordunet-sso plugin module. I'll get around to fixing this when I next have time to work on this project but in the mean time you should be able to fix this simply by changing the dependency version in the pom.xml of the nordunet-sso project
roozbehk
commented
10 years ago Thanks Juha, I was able to compile the older version posted on the wiki which seems to be compatible with 2.7.
erkkiaalto
commented
9 years ago I am testing this with confluence. Local users are authenticated OK via Crowd, but not the Shibboleth users. The users are created in Crowd and synced to Confluence OK and the users are redirected to Confluence, but they have no session in Confluence. The SSO servlet should give more debug information.
jmleppala
commented
9 years ago If the local user you have tested with has been logged in via the Confluence login screen then make sure you have configured SSO integration with Crowd in Confluence. See step 2.2 of https://confluence.atlassian.com/display/CROWD/Integrating+Crowd+with+Atlassian+Confluence
If the SSO integration has been configured and still a user who has a crowd cookie is not logged in to Confluence make sure they have group memberships that a) allow authentication according to the confluence application in Crowd and b) grant permission to use Confluence as configured in the global permissions in Confluence.
erkkiaalto
commented
9 years ago Of course Crowd integration is configured. As I wrote above, local users can login successfully and shibboleth users are correctly created in Crowd and synced to Confluence.
The problem is that the sso cookie servlet in the authenticator does not log any debug information so I cannot find out where it fails.
jmleppala
commented
9 years ago Unless you get an error in the browser from the sso cookie servlet I would look elsewhere for any failures.
If a crowd cookie is served for the shibboleth user (and the user exists in Confluence) then it is purely a configuration issue either in Crowd or Confluence.
c-koell
commented
9 years ago Hi,
I have a question regarding the ShibbolethSSOFilter. In doSetDetails() you try to extract the requested application ? If i hardcode the application to any value i will get a exception.
Must the shibb-users have access to the crowd app itself ? Only if i authenticate against crowd the login succeeds.
greets claus
sebValiantys
commented
8 years ago Hi all,
Seeing people have been successful in configuring JIRA's authentication through Crowd and Shibboleth gives me hope.
I have correctly managed to configure crowd's authentication. Login goes through our dedicated authentication page and access to crowd works smoothly. When I try to login to JIRA though, I keep getting redirected to Crowd.
I went through the settings several times already and I keep missing the cause. @smoitozo if by any chance, you remember what problems you faced and what corrections you made ?
When I look at the network in my browser I see the following stack : 1 : my-jira-url 2 : my-crowd-url/plugins/servlet/ssocookie?redirectTo={jira's dashboard} 3 : my-crowd-url/console/login.action?error=true 4 : my-crowd-url/console/defaultstartpage.action 5 : my-crowd-url/console/secure/console.action
I did find errors in the logs. A LazyInitializationException happening within crowd and resulting in a failed authentication. First it was on the call to CrowdUserDetailsService.loadUserByName (in ShibbolethSSOFilter.attemptAuthentication) which I changed with a call to UserManager.getUser since we don't care about the extra data retrieved by the first method. But unfortunately, later on another call is made to CrowdUserDetailsService.loadUserByToken through the call to getAuthenticationManager().authenticate(crowdAuthRequest). At this point I don't have any means to avoid the exception.
I haven't been able to figure out why I would get this exception when login into JIRA a not Crowd even though it is the exact same code running both times.
Any hints will be greatly appreciated.
ghost
commented
8 years ago @sebValiantys -- Hi --- I am experiencing the same problem. I would be very interested to find out what you end up doing to resolve this!
erkkiaalto
commented
8 years ago Can you log in to jira with an account that is not authenticating from Shibboleth? Does Crowd have the group jira-users and are the accounts members?
I've been working with the shibboleth-filter and shibboleth-filter-config modules this week and have written some documentation for newbies (like me) who need to know how to build it. Can I contribute the documentation to the project?
Also, I have some questions: