Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to implement application SSO when using SAML authentication for Jira and Confluence

Karanpreet Kaur
Karanpreet Kaur
Contributor
February 12, 2018

We are currently using Crowd for SSO and LDAP authentication, however, we are in the process of setting a POC for our corporate SiteMinder SSO solution.

We have been able to successfully integrate Jira and Confluence with Corporate SAML SSO, however, implementing this - we are no longer able to do application SSO, meaning that Jira and Confluence requires separate logins now. 

Is there a way to implement application SSO via this method? Kindly help.

Answer
Watch
Like Be the first to like this
1334 views

3 answers

0 votes
Pete Waterman
Pete Waterman
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
February 14, 2018

I'm guessing I have a similar problem to OP based on his comment, here's the problem I'm trying to solve after implementing SAML SSO in Jira:

1. We have JIRA, Confluence, Bitbucket, and Crowd

2. I have a Crowd directory set up and everything uses Atlassian Seraph's SSO so that logging into any of the instances logs you into the other instances.

3. A SAML SSO plugin to connect GSuite to JIRA is set up, however it does not login properly to JIRA when JIRA is configured to use Crowd SSO via SSOSeraphAuthenticator in seraph-config.xml. 

If I switch JIRA back to JiraSeraphAuthenticator in seraph-config.xml, I can successfully perform a SAML authentication from GSuite to JIRA - however at this point, the user is not logged into Crowd SSO, so that user has to manually log into Bitbucket/Confluence.

The ideal would be a solution that lets you use SAML in Crowd (there's a mini-orange plugin for this but it's for older versions of crowd), or somehow have JIRA register the login with Crowd and work with the SSOSeraphAuthenticator class.

No idea if that's plausible because I'm not an SSO expert but I'm guessing that's the same issue OP has.

View More Comments
Christian Reichert (resolution)
Christian Reichert (resolution)
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 14, 2018

Hi @Pete Waterman,

the challenge you have is that two different Seraph Authenticators usually can't easily co-exist.

One solution in your case would be to keep Crowd as a User Directory and install a SAML Plugin on all you Atlassian Applications. That way when any of your Users goes to a application where he's not logged in yet, the plugin does a Single Sign On.

So to your User the experience will be that he's signed-on into all applications as soon as he goes there.

Downside certainly is that you need a SAML Plugin license for each Application. This is a somewhat common deployment model with our plugin.

 

Another alternative may be, no longer use Crowd at all. If you use AD/LDAP for directory synchronisation for example - then you could drop Crowd & enable directory sync via AD/LDAP and use a SAML Plugin on each application for the Single Sign On.

This is actually one of the most common deployment models our customers choose. And this is also the reason why there aren't many Crowd Plugin's with SAML available - if you use SAML everywhere, most of the time there is no longer the need for Crowd.


Cheers,
    Christian  

Like
Pete Waterman
Pete Waterman
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
February 14, 2018

That all makes sense and jives with the issues I've encountered. Federated identity can get a little wonky. 

 

I may end up going down the route of installing a SAML Plugin for each app. It hadn't occurred to me that this would be quite similar to the benefits of Crowd's SSO for a minor additional fee, thanks for the idea!

Like
Christian Reichert (resolution)
Christian Reichert (resolution)
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 14, 2018

@Pete Waterman - my pleasure. Also happy to help you via our support portal https://resolution.de/go/support if need anything. Or here, whatever you prefer.

Like
Reply
0 votes
Christian Reichert (resolution)
Christian Reichert (resolution)
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 13, 2018

Hi @Karanpreet Kaur,

Lars is right, you can use a marketplace based SAML Add-on into Jira & Confluence. There are a variety of plugins in the marketplace: https://marketplace.atlassian.com/search?query=saml

How have you implemented site-minder in your PoC, as you I am a bit confused about your statement "we are no longer able to do application SSO".

Cheers,
    Christian

P.S. I also work for a Single Sign On Plugin Vendor (resolution)

View More Comments
Karanpreet Kaur
Karanpreet Kaur
Contributor
February 15, 2018

Hi Christian, 

We have only integrated Jira and Confluence with SAML in our PoC. SAML is provided by our Corporate SSO Team and is using Siteminder. 

By my previous statement "we are no longer able to do application SSO", I meant that when I am logging into Jira, and then browse to Confluence, I have to re-authenticate for application login. We found the issue and We had to change the SAML authentication settings to Primary, to make sure that application SSO works.

I will look at the add-ons. Thanks for suggesting. 

We had been using Atlassian Crowd for SSO as well as LDAP authentication till now. The only deal breaker for us is that its not supporting SAML 2.0. We are open to look at other solutions as well, and we are evaluating for different options at this point as we just found out that Bamboo doesnt support SAML integration.

 

Thank you,
Karan

Like
Christian Reichert (resolution)
Christian Reichert (resolution)
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 15, 2018

Hi@Karanpreet Kaur,

from what you describe, probably the solution that is going to give you everything you want is LDAP/AD Sync for the User Databases - either to all of the Atlassian products individually (then no longer needing Crowd) or by a single AD Sync against Crowd. 

Then use SAML to do SSO against site-minder. Most of the plugins I mentioned (including ours) has a Bamboo Version as well.

Should you no longer be able to use AD/Ldap Sync (Policy reasons for example), then some of the SAML Plugins (including ours) also support creating & updating Users via SAML.

Here you find our plugin if you like a look at it & some others via the second link:

If you like to discuss your PoC with us in Detail, then feel free to open a support case with the reference to this and we'll schedule a call. Then we can discuss the different solutions in a bit more details including Pro's & Con's. https://resolution.de/go/support

Alternatively we can continue here a bit - then it would be useful to know if you are using Server or Datacenter - also the Site Minder Versions and if there are any policy restrictions/preferences on your side to continue with AD sync.
Cheers,
Christian

Like
Reply
0 votes
Lars Olav Velle
Lars Olav Velle
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 12, 2018

Hello @Karanpreet Kaur

You can use Crowd as a user directory and then add a SAML add-on in JIRA and Confluence.

I work for Kantega Single Sign-on which is one of the vendors on Atlassian Marketplace: 

https://marketplace.atlassian.com/search?query=kantega

Try try it out and let us know if you have any questions. sso@kantega.no

Lars 

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.