Closed erkkiaalto closed 9 years ago
erkkiaalto
commented
9 years ago I can now confirm that the authenticator works with 2.8. The error message above was caused by settings of the crowd appication in crowd: We had two directories, the default directory and the directory for shibboleth users. It is not enough to enable the shibboleth directory for the confluence application, it must be enabled for the crowd application for the authenticator to work correctly.
elkasmi
commented
8 years ago Hi
Please HELP.
We are trying to use your plugins to connect Atlassian crowd 1.7.2 with shibboleth and crowd plugin. After having installed all components https://github.com/Eduix/crowd-shibboleth-module All work well until the process crowd plugin witch generate errors :
userDetails = crowdUserDetailsService.loadUserByUsername(username); org.hibernate.LazyInitializationException: failed to lazily initialize a collection of role: com.atlassian.crowd.model.application.ApplicationImpl.directoryMappings, could not initialize proxy - no Session at org.hibernate.collection.internal.AbstractPersistentCollection.throwLazyInitializationException(AbstractPersistentCollection.java:566) at org.hibernate.collection.internal.AbstractPersistentCollection.withTemporarySessionIfNeeded(AbstractPersistentCollection.java:186) at org.hibernate.collection.internal.AbstractPersistentCollection.initialize(AbstractPersistentCollection.java:545) at org.hibernate.collection.internal.AbstractPersistentCollection.read(AbstractPersistentCollection.java:124) at org.hibernate.collection.internal.PersistentList.iterator(PersistentList.java:138) at com.atlassian.crowd.util.DynamicAuthorityMappings.getPrivilegedGroups(DynamicAuthorityMappings.java:55) at com.atlassian.crowd.util.DynamicAuthorityMappings.iterator(DynamicAuthorityMappings.java:82) at com.atlassian.crowd.integration.springsecurity.user.CrowdUserDetailsServiceImpl.generateAuthorityFromMap(CrowdUserDetailsServiceImpl.java:140) at com.atlassian.crowd.integration.springsecurity.user.CrowdUserDetailsServiceImpl.getAuthorities(CrowdUserDetailsServiceImpl.java:132) at com.atlassian.crowd.integration.springsecurity.user.CrowdUserDetailsServiceImpl.loadUserByUsername(CrowdUserDetailsServiceImpl.java:47)
Please can you tell us what is wrong, what are the settings ? Have us to create a shibboleth directory into CROWD administration ?
Thank you
erkkiaalto
commented
8 years ago You have to create the directory defined in ShibbolethSSOFilter.properties and give both the Crowd and Confluence (or other) applications to authenticate
elkasmi
commented
8 years ago HI
Thank you for your answer.
To understand our context, we changed jira seraph library so that when connecting to jira, crowd form is used for authentification, but no work with same error.
We changed ShibbolethSSOFilter.properties, specifying our existing used internal crowd directory. and have same error.
"...org.hibernate.LazyInitializationException: failed to lazily initialize a collection of role: com.atlassian.crowd.model.application.ApplicationImpl.directoryMappings, could not initialize proxy - no Sessio..."
Please, are the steps OK, how to understand in your reply "give both the Crowd and Confluence (or other) applications to authenticate" ?
Thank you again
erkkiaalto
commented
8 years ago I do not quite understand what you have been trying, but it does not sound quite right. We are currently using Crowd with Jira only in a test Jira, but it is working OK.
In the seraph-config.xml we have turned Crowd SSO on:
and the login url is
(For some reason a php script is needed to get the target url correctly through Shibboleth)
The php script redirects to Shibboleth, to Crowd plugin and then to target url in Jira:
header("LOCATION:"."https://crowd-test.it.helsinki.fi/Shibboleth.sso/HYLogin?target=https://crowd-test.it.helsinki.fi/crowd/plugins/servlet/ssocookie?redirectTo=$target");
(Sorry about the missing words in the previous comment. Both Crowd and Jira must be given explicit permission to authenticate to the Crowd directory defined in the settings of the authenticator)
elkasmi
commented
8 years ago Thank you again
To understand , we actually have an entreprise user directory (using SAML protocol), not connected to crowd.
We use jira with crowd (with internal directory) and would like to connect crowd to the entreprise directory using shibboleth and Eduix plugins.
Shibboleth and Eduix plugins have been installed.
We changed settings in the JIRA seraph-config.xml and have turned Crowd SSO ON to use crowd login form when connecting to JIRA.
Results :
Is it more clear ?
You say "Both Crowd and Jira must be given explicit permission to authenticate to the Crowd directory defined in the settings of the authenticator". Does it mean that in crowd, in jira application settings, set directory (identified in ShibbolethSSOFilter.properties) at true ?
is the PHP script required to work ?
Thank you
erkkiaalto
commented
8 years ago Do you mean you can authenticate to Crowd but have no SSO with Jira? Are Crowd and Jira behind identical proxys? If one is behind an AJP proxy and the other an HTTP proxy the sessions look different and SSO does not work.
PHP is used to get target url correctly through Shibboleth, it is not essential to authentication.
elkasmi
commented
8 years ago Without using JIRA application, authentification works between crowd (when connecting to crowd) and entreprise directory for authentification using shibboleth and plugins.
Do you think that to use jira, crowd with shibboleth with entreprise directory, SSO must work between jira and crowd (prerequies). first step to validate (before shibboleth problematic) ?
What resolution if we have no identical proxy ? (is the origin of the error no session, and mapping directory error) ?
Thanks
erkkiaalto
commented
8 years ago Does SSO with Jira work with an local account not authenticating with Shibboleth? Are the proxys identical?
We have a working test system with 2.7.2 and we are now trying to build dedicated crowd test and production servers with 2.8.0. We have copied the settings from the previous test system, and crowd authentication with local accounts works OK. Shibboleth logins are, however, not working. The accounts are created, but somehow the authenticator is not aware of them abd tries to recreate them:
2015-01-23 08:36:46,338 ajp-bio-8009-exec-7 DEBUG [nordu.crowd.shibboleth.ShibbolethSSOFilter] No user aalto@helsinki.fi found. Creating 2015-01-23 08:36:46,562 ajp-bio-8009-exec-7 ERROR [nordu.crowd.shibboleth.ShibbolethSSOFilter] Error creating new user com.atlassian.crowd.exception.UserAlreadyExistsException: User already exists in directory [491521] with name [aalto@helsinki.fi] at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.addUser(DirectoryManagerGeneric.java:309)