-
Suggestion
-
Resolution: Unresolved
-
None
-
39
-
Hello everyone,
We are pleased to announce that we have released support for OpenID Connect for Jira, Confluence, Bitbucket and Jira Service Desk Data Center.
You can learn more about it here: https://www.atlassian.com/blog/enterprise/openid-connect
Please note that in order to use OpenID Connect you will need Data Center license.
You can create your evaluation license for your Data Center product here https://my.atlassian.com/license/evaluation
We hope that you will enjoy it!
Please reply directly to my email to share your feedback or just add your comments in this ticket. We'd love to hear your thoughts!
Best regards,
Marek Radochonski
Senior Product Manager
mradochonski@atlassian.com
OpenID Connect performs many of the same tasks as OpenID 2.0, but does so in a way that is API-friendly, and usable by native and mobile applications. OpenID Connect defines optional mechanisms for robust signing and encryption. Whereas integration of OAuth 1.0a and OpenID 2.0 required an extension, in OpenID Connect, OAuth 2.0 capabilities are integrated with the protocol itself.
Source:
http://openid.net/connect/
[CWD-3995] Provide support for OpenID Connect
We have released OpenID Connect support in Jira, Confluence, Bitbucket and JSD Data Center. We are still considering adding support for it in Crowd Data Center in the future.
I think your product direction makes sense to me. Integrate the Relying Party role into your popular apps (JIRA, Confluence, Bitbucket) so that they can connect to any certified OIDC Provider. Keep in mind that OIDC also includes the features of OAuth2. OAuth2 isn't actually a standard, and is a generalized framework. I think the exposed claims from the IdP should be sufficient to authorize various user roles for the Atlassian suite of apps.
Then you could position Crowd to be an OIDC Provider, packaged as a standalone enterprise identity provider. That would place it in competition with products like Ping Identity, RedHat Keycloak, etc.
Thank you for feedback and for being honest with us. That is very important for us.
Regarding Crowd acting as OIDC Identity provider and OAuth 2.0 Authorization Server, which one is more important for you?
Best Regards,
Marcin Kempa
@Macin : my organization (Regional Council of Brittany, France) use Crowd as a general-purpose identity server (dozens of apps connected to Crowd, many directories, thousands of accounts). More and more Apps (On-premise + Cloud) now support OIDC and OAuth2 out of the box as standard protocols to delegate authentication and autorisation to an identity server. That's why we need either Crowd to act as an OIDC provider and OAuth2 authorization server, or to replace Crowd with Keycloak for example.
IMHO, Atlassian has only 2 choices regarding Crowd : either invest heavily and quickly to add OIDC and OAuth2 support, or let him die. It's almost too late for us, we are going to take the decision on the future of Crowd in the next few weeks ...
Hi mvdkleijn and marcin.kwapisz,
Thank you very much for your comments and interest in this issue. We are always keen to listen for feedback about Atlassian products.
Regarding phasing out Crowd, there are no such plans. We are constantly working on improving Crowd with new capabilities and with extending current ones. I am sorry that recent releases did not bring value you needed.
As I understand your comment you need Crowd to act as an OIDC provider and OAuth2 authorization server as you would like to centralized authentication and authorization management for you Atlassian on premise products. Is that correct assumption? Please let us know what are your requirements and needs with OIDC and OAuth2 and how would you like to use it with Crowd. Your feedback will help us to understand the problem space better.
Best Regards,
Marcin Kempa
Crowd Dev Lead
Hi Gaurav,
Is there any way to get this (Crowd as an OIDC provider) in scope?
Crowd is rapidly losing its value for us as a DC customer due to the lack of OIDC provider and OAuth2 server capabilities. If Atlassian's intention is to phase out Crowd, please let us know so we don't invest too much time and effort in this product.
Cheers, Martijn
Hi marcin.kwapisz,
In the current scope of implementation, Crowd will not get any capabilities related to OpenID Connect, only the products namely, Jira, Bitbucket and Confluence will get the abilities to connect to OpenID Connect IdP.
Cheers!
Gaurav Agarwal
Hi Guarav,
will Crowd work as OIDC provider? You did not mention you want to implement this feature in Crowd.
Regards
Marcin
Firstly apologies for the delay in replying back.
As per the current implementation, we will be bundling the ability of connecting to an OpenID Connect IdP in the products itself, i.e. Jira, Bitbucket, and Confluence.
So, the products can delegate authentication directly to another identity provider, bypassing Crowd.
Cheers!
Gaurav Agarwal
Hi Gaurav,
is the implementation of an Open ID Connect Server in scope of this feature?
Hi, do you have any estimation on when this feature will be available for Crowd DC?
Hi Gaurav, how does this relate to Crowd ? In your example, do you assume that Jira and Confluence are using Crowd for user authentication? Do you mean that in the future, they will still delegate authentication to Crowd, and that Crowd will itself delegate authentication to another identity provider through OIDC? Or do you mean that Jira and Confluence will delegate authentication directly to another identity provider, bypassing Crowd?
Hi d6bc2247047a,
In the current scope we will be providing the capabilities in our DC products to integrate with an OpenID Connect IdP, so, assuming you are using Jira, and Confluence DC, you would be able to hook them up to any OpenID Connect Provider.
This is fantastic. I assume this will also for the native ability to authenticate by an external IDP? I would suggest Keycloak specifically be used both for testing and a baseline for support.
That's great Marek! Will you be supporting a Relying Party, or a Provider, or both? My use case is that I'd like to hook JIRA and Confluence into our GSuite authentication, and also our own OpenID certified Provider for customer authentication. So I'm looking for the Relying Party personally.
d6bc2247047a that's correct and I can also let you know that we have started the work on OpenID Connect in all our core products in DC version.
Because that this feature isn't at Crowd right now.. a customer who need unlimited user don't gonna use crowd.. Instead i'm evaluating a third party add-on https://marketplace.atlassian.com/apps/1217688/oauth-openid-client-for-jira-sso?hosting=server&tab=overview for jira, confluence and bitbucket.. Thank you Atlassian again, for the great status update of this issue
Over four years and nothing happened. I have to consider replacing Crowd with different SSO provider. I don't know if such provider even exists but I have to integrate our Atlassian platform (Jira/Confluence/Bitbucket/Bamboo) with our OpenShift cluster. Any suggestions appreciated.
Did anyone try this addon ? https://marketplace.atlassian.com/apps/1217688/oauth-openid-client-for-jira-sso?hosting=server&tab=overview
why is this Priority LOW?
The point of having a centralized identity provider is to be able to integrate it with as many systems as possible. Since there is no support for a OpenID connect we are using a special Apache version with a crowd connector module compiled in and use direct LDAP connection (without Crowd) for other systems where the Apache is not possible. Not what you want to have if you bought a solution like Crowd.
Is it not supported yet? That’s surprising given I can login here using Google Identity. Also, as a data point, over 90% of Azure AD transaction now happens with OpenID Connect.
anyone uses "Crowd-Id" we're struggling to find info on that. Basically would like to use it with NGNIX / HAproxy as an authentication provider...
instead of changing the UI once in a while, implementing such issues would bring more value to Atlassian products IMHO.
Dominik Söllinger
added a comment - +1 
Martin Steiner
added a comment - +1 
Alexander Constantin
added a comment - +1 
Robert Lindner
added a comment - +1 
Paul Urthaler
added a comment - Would be really helpful! LDAP is not really state of the art any more.
Paul Urthaler
added a comment - Would be really helpful! LDAP is not really state of the art any more. 
Richard Attermeyer
added a comment - I also vote to get this implemented. Oauth and OpenId Connect should be part of any modern SSO solution.
Richard Attermeyer
added a comment - I also vote to get this implemented. Oauth and OpenId Connect should be part of any modern SSO solution.
Anton Brass
added a comment - +1 
Colin McConnell
added a comment - This would be incredibly valuable. 
Lee Liming
added a comment - +1 This would be a big help for our use of JIRA and Confluence. 
Jay Alameda
added a comment - +1, would like to see this capability - In particular, what I'm most interested in is authenticating JIRA users with our OpenID Connect identity provider.
This is an very important feature to be able to interoperate with Google, Facebook and other important identity providers.
Can someone from Atlassian increase the priority of this issue please?
Niklas Funke
added a comment - +1!!!
Is there any ETA for this?