Please note that you should not be uncommenting the SingleSignOn Valve in the server.xml for Tomcat. This has nothing to do with Crowd SSO and make in fact interfere with it functioning.

i'm using a Apache Proxy to access my atlassian tools
f.e.
https://mydomain/stash
https://mydomain/confluence
https://mydomain/jira
https://mydomain/crowd

so in every server.xml config i configured proxyName proxyPort ans scheme=https

Single Sign own worked perfectly between jira and confluence, but not with Stash
in my stash-config.properties i setup the required stuff:
plugin.auth-crowd.sso.enabled=true
plugin.auth-crowd.sso.http.proxy.host=mydomain
plugin.auth-crowd.sso.http.proxy.port=443

but it will still not work.

Solution:
=======
remove
plugin.auth-crowd.sso.http.proxy.host=mydomain
plugin.auth-crowd.sso.http.proxy.port=443
from stash-config.properties

don't forget to uncomment
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
in the server.xml file in stash app dir

Is Single Sign On broke at the moment ?

I tried everything that is described in the Confluence Wiki Page.

Got it working.

https://confluence.atlassian.com/display/STASH/Connecting+Stash+to+Crowd#ConnectingStashtoCrowd-SSO

here Stands <STASH_HOME>/shared/stash-config.properties

I assumed that home is the application folder and not the data folder.

Hi Jason,

Thanks for the feedback! The Crowd SSO plugin will only enable SSO integration when it can. It tests:

• whether you've got a User Directory set up pointing to Crowd.
• whether the remote Crowd has got a valid SSO cookie configuration.

It's the second test that is causing problems for you. I've created STASH-3264 for this problem.

I think I nailed this down to having an empty domain cookie configuration in Crowd. When I configured Crowd with a value of "localhost" SSO seemed to work for Stash.

It's worth noting that all other apps (Jira, Conf, etc..) seem to work fine with the empty domain setting.

Unfortunately this doesn't seem to be working. I've enabled

plugin.auth-crowd.sso.enabled=true

and I can see the authenticator:

2013-03-26 09:59:37,265 DEBUG [http-bio-8085-exec-16] 599x244x1 0:0:0:0:0:0:0:1%0 "GET /logout HTTP/1.1" c.a.s.i.s.s.PluginAuthenticationProvider attempting authentication with authenticator com.atlassian.stash.stash-authentication:crowdHttpAuthHandler
2013-03-26 09:59:46,078 DEBUG [http-bio-8085-exec-17] 599x245x1 1szwp6r 127.0.0.1,127.0.0.1 "GET / HTTP/1.1" c.a.s.i.s.s.PluginAuthenticationProvider attempting authentication with authenticator com.atlassian.stash.stash-auth-crowd-sso:crowdSsoAuthHandler

But that's all the logging I can get out of it and it doesn't seem to be working. Nothing is happening (that I can see) on the Crowd side either.

Thoughts?

Awesome to see the fix version coming up!!!! Thanks, Stash team

I'm mobile at the moment but will tomorrow afternoon - it's 100% predictable for us.

jason.stiefel, can you create a support request for the re-direct issue? I've just tried it and can't reproduce it. Might be related to an environment specific configuration.

@Jens thanks for the update... I think the redirect fix will be a big help to smooth out our experience until we can get full SSO support, I appreciate your attention to this!

Hi Jason,

With Stash 2.2 we've just shipped the most highly voted feature (apart from Hg support), which be beneficial to every single customer out there. We clearly got the message that SSO support is important to you guys and we are actively working on it now. We are aiming to deliver it with the next release, but there is a possibility that it will slip into to Stash 2.4.

We will look into the re-direct issue and fix the bug. That's certainly frustrating. Thanks for bringing this up.

Another release with no support for your own SSO solution? A little transparency would be much appreciated at this point - users are asking on a daily basis "Why do I have to login to Stash over and over throughout the day?"

Tack on the fact that the login redirect in the application is BROKEN (User clicks on link in email to visit pull request, presented with login screen. Authenticates - is sent to the project list page) and you've got some really frustrated users!

@Andrew Finnel:

From my experience (dealing with about 1450 users), users are lazy. If they have to keep logging in over and over and over, they will not only continually complain to the administrators, they'll just stop using the product.

One of the great things about using SSO is that users are inconvenienced as little as possible – which means they use the product more. It sounds stupid, and yet all of my experience has shown it to be sadly and utterly true.

Many of us that have based our stack on the Atlassian offerings chose it partly because of the well-integrated authentication mechanism, and the benefits to the user experience – and thus user utilization – that come with it. I've been paying support on Crowd for years as part of an unwritten but implied basic contract: I give you money to keep product development going (although it seems to have essentially stalled), you make this core authentication product – with its well-advertised feature of SSO as its main benefit over me using straight LDAP – work with your other products. Accordingly, Stash (inexplicably) breaks that contract, when it's something that it seems like should have so clearly been built in from the very beginning when they were saying "hey, we need to handle user accounts, right?" It's not unreasonable to think that the next question should have been: "Don't we have a product for that?"

The fact that it's not vital for you doesn't mean that it's not a vital feature to some. My list of vital features that Stash is missing is rather large, and this is but one of them – but it's still on the vital list.

@JasonStiefel I don't question the usefulness of SSO as a feature. I question the usefulness of SSO compared to the huge laundry list of features and fixes that Stash needs. Having to manually log in from an email link seems to pale in comparison to some of the other very useful feature requests that have been made. We already established though that each enterprise will have different needs. I understand that and was merely expressing my interest in why this should be chosen over some of the other vital features.

@AndrewFinnell-

This is the most basic response I can come up with to this ongoing incredibly frustrating issue:

Crowd and SSO works with every other application in our development platform: Apache (Proxy), Jira, Confluence, Jenkins, Nexus, OSQA and whatever else we add ALL SUPPORT CROWD SSO. You login ONCE and everything just works. I've integrated other applications to use it, everything from Spring Security to adapting it into container based authentication.

The existing authentication mechanism in Stash is TERRIBLE. It's incapable of dealing with links in emails unless you've VERY recently logged into it (session timeout must be 30 mins and not configurable??) so most clicks from outside the app end up at the login screen and then the default index page after login.

That should be fairly simple to understand. Noone is asking Atlassian to add some obscure support for an SSO connector - Crowd is an Atlassian product and there should be a focus on making sure their apps don't leave home without full support for their SSO framework.

@Andrew - your comment to which I was responding made it sound like you are a developer looking for a reason to support an Atlassian feature. It's hard on this everyone-access setup to know who is in what role. I did assume you worked for Atlassian.

I think Todd Gamblin above indicated the reason why Crowd SSO is important (and I believe it was also stated in another comment back weeks or more ago), which is that not all environments are permitted to store browser-side credentials. So saying the issue is solved by browsers is not accurate for that type of environment.

@Tom Gamblin, I appreciate the response. I meant no disrespect. Out of all the issues that I see get attention this is has to be in the top three so I was curious ti its core need. I completely understand how SSO works and I in no way think it's unimportant. If you'd like to further discuss this you can reach me at andrew.finnell@gmail.com as I am curious about your work flow. Thank you for your time.

I don't see why it's difficult to understand the benefit of Crowd SSO: users don't have to type their passwords as often. That's what SSO does. Whether or not you think that is important is another issue.

In our case, we want users to adopt the Atlassian products, and making the experience uninterrupted by redundant authentication helps with that. Our security rules are such that users have to use two-factor authentication and we can only remember a session for 12 hours. So the users would have to type two logins a day: one for other stuff and one for Stash. Luckily we were able to integrate Stash with another login system, so we DO have single sign-on between our various web services, but we'd rather be using the same Crowd cookies we do elsewhere. That was one of the reasons we bought Crowd, and it's one of the major features Atlassian advertises for Crowd. Is there some reason we should not let them know it's important to us?

Todd Fiala, I should be 100% clear, I do not work for Atlassian. I am a customer of Atlassian products as well as you. I am seeing all the focus on this one ticket and I am perplexed at the attention it is getting. I work in an enterprise environment also and have yet to have any issues with Stash not supporting SSO from Crowd. The browser itself has taken care of all our users sign on issues. The comments in this ticket make it seem as though Crowd itself is not supported in Stash. It's just the SSO component. Also your comment didn't answer a single question as to why SSO is such a high priority.

Crowd works with Stash. You still manage the users the exact same way as all the other Atlassian products. I am writing these comments because I believe there are far more valuable features that Stash needs that are actually related to source control management. Especially since the sign-in issue is easily solvable by using browser settings to persist your authentication credentials. I'll stop commenting on this ticket, I had no intention on making this ticket a soap-box.

Here are several reasons it would be good for Atlassian to fully implement integration with one of its products:

• So that Atlassian product support staff within orgs don't get tickets indicating that login to Stash is broken and not functioning like the rest of Atlassian products. (End user customers take a logical position on issues like this and just expect that a company's new products are going to do basic services like authentication and authorization like the rest of the products in their basket).

• So that Stash works like all other Atlassian crowd integrated products and doesn't somehow require a different authentication workflow.

I'm at a loss why you're asking customers to advocate for why you should support Atlassian's own product suite to the full potential of the product.

I am still hoping for some quick feedback on why this is so critical to some customers.

I also look forward to see the SSO working. I believe this should be put into the next sprint planning so we, the users, could also see an ETA on completion and setting our expectations correctly

Hey all - hopefully this is on your radar now. Please note all your docs that talk about Crowd integration as a user directory for Stash then go on to list the benefits of Crowd (more or less cut and paste), including SSO for SSO-enabled apps. You really should either implement this ticket, or add a caveat after listing Crowd as an available directory service that says "* Note SSO not supported by Atlassian Stash".

As others have mentioned, SSO is a key reason for many even bothering to implement Crowd. Looking forward to you adding support soon. Thanks for all the other goodness, Stash team!

How could this not make it into 2.1? How is it possible that a feature like build status would trump the importance of supporting your own SSO product? Our policies do not support using the "Save Password" box (nor should they - what a terrible idea to begin with!)

Please get this prioritized and communicated to the people who are working to evangelize YOUR products within their own companies. The number of hoops many will jump through to accomplish a switch from SVN or whatever to using Stash is significant enough as it is. It's becoming embarrassing to repeatedly explain why the other 9 applications that make up our development platform support SSO while Stash continues to require an additional login step that inconsistently "forgets" what your target URL was (i.e. clicking links in email, logging in and ending up where you expected - Stash usually sends you to the home page but that is not always the case.)

Agree with everyone, crowd SSO should be a priority

Same here - it's surprising that implementing features from another product (github) would take priority over supporting their own single sign on tool in a web application. I've integrated Crowd into a dozen different applications and it's never taken more than a few days to get it right - what's the hold up on Stash???

Definitely not good. I'd rather work had been done on this rather than many of the other features such as branch permissions.

Well, we won't move away from Fisheye if this is not resovled... Actually kind of embarrassing...

Our deployment is part of a suite of tools that include JIRA, Confluence, Jenkins and Nexus. All of these are hosted behind a single reverse proxy that looks a little like JIRA On Demand or the old JIRA Studio.

With the exception of Stash we're able to login once across all the services - and we're in the process of integrating our Crowd SSO with our "corporate" SSO to further integrate into our environment.

Please enlighten me about the use of Crowds SSO. You would not use Stash unless it supports not having to require the developers from having to type in their password each time? Or not requiring them to save their password in the browser? I havent even turned on my Crowd's SSO because everyone just clicks the "Save Password" in their browser and we have it integrated with LDAP. I am wondering if I am missing some great SSO feature.

Ditto. Glad to see priority set to Major. We are very interested in Stash but will not seriously consider it until it supports Crowd.

+5 for the reclassification to Major... Thanks Stash team!

At this point I'm tempted to have every engineer in our enterprise up vote this issue but that doesn't seem to be productive. We're laying out a large sum of money for Crowd SSO across our platform and the lack of SSO in Stash is a huge sticking point - really surprised it didn't make a 2.0 release.

With 2.0 just released, does that free up some time to work on SSO support?
Or perhaps prompt a priority elevation?
Any words about approximately where on the roadmap this would be?

Just to chime in with everyone else - it's really critical that we get Crowd SSO support as quickly as possible. We're building an integrated tools platform and I've successfully made the case to move to Atlassian products but it's really frustrating to have SSO working across all the "other" products (that include non-ATL stuff like Jenkins and Nexus) but no support from our shiny new source control system.

It's confusing our users and extra frustrating for those of us building our platform that frequently switch user accounts. I've implemented some work arounds to help but it's a tad mind boggling that supporting your own SSO product isn't a top priority - how many times a day do you guys login to your own Stash instance afterall?

Be assured that Crowd SSO support is on our roadmap. However, we will have to prioritise it against other features like pull requests and branch permissions. That's the reason it hasn't found it's way into the product yet.

This is how most of the product releases are. If you look at version 1.0 it didn't even have crowd support. The SSO will probably be added a bit later. I was reading a response on this somewhere and the basic idea was to release the product with basic functionality then grow on that. I'm not making any excuses for anyone but this isn't exactly a new phenomenon with Atlassian products.

Yeah, it's a good question. Crowd seems to have lost nearly all momentum, and it's very expensive compared to what you get for free with LDAP, with SSO being the big draw. You'd expect whoever is working on the Crowd team to make SSO working on new Atlassian products a top priority.

No idea I'm not an Atlassianer.

Yes, exactly. SSO is one of the reasons we're paying for Crowd. My question was more about the long term Crowd strategy. I worry about my existing Crowd investment when things like this happen. How is full support for your own product a minor priority? Crowd isn't cheap and it would be nice if it were actually a priority to support its features.

This ticket is about the SSO ticket. Stash can already talk to Crowd (we use it), but SSO doesn't work.

Why is this minor? This is the only thing holding me back from buying a 500 user Stash license. Do you guys actually plan to support Crowd long-term?