-
Suggestion
-
Resolution: Answered
-
None
-
None
The Atlassian-recommended solution for Shibboleth with Crowd is the solution developed by juhani and Eduix:
https://wiki.nordu.net/display/NORDUwiki/Crowd+Shibboleth+Module
![[Extranet] Page](/images/icons/generic_link_16.png "[Extranet] Page"){kind=icon}
[CWD-75] Support Shibboleth
The comment from Juhani Gurney is helpful.
Can you you or someone elaborate on the "We needed to to a slight modification to the Crowd Authenticators for Confluence and Jira so that they redirect to Crowd for login instead of showing the Confluence/Jira login screen" part?
I assume we need to update the "login.url" property in the seraph-config.xml file of confluence to point to our shib protected crowd server, but I am unsure what format for the URL to tell Crowd where to redirect back to. /crowd/login.action?redirectTo=https://confluence or something?? I can't seem to stumble upon it.
Thanks!
Anybody know what we are supposed to do after we follow the readme and drag the jar to the plugins directory? I don't see any change in the Crowd UI? Is there a walkthrough for this? README directions are pretty slim. Maybe this doesn't work with 2.7?
I would also like to see this built in. SAML 2 (Shib) is pretty much a deal killer requirement for any new applications purchased at my company.
And now Crowd 2.7 is due, and once again we'll need to rebuild it. Can't we just get this built and added to the Atlassian Marketplace like any other plugin?
Stefan Liström
added a comment - Just thought I'd let the people watching this issue know that there is now a new version of the plugin available on the NORDUnet wiki for Crowd version 2.5.
https://wiki.nordu.net/display/NORDUwiki/Crowd+Shibboleth+Module
Stefan Liström
added a comment - Just thought I'd let the people watching this issue know that there is now a new version of the plugin available on the NORDUnet wiki for Crowd version 2.5.
https://wiki.nordu.net/display/NORDUwiki/Crowd+Shibboleth+Module Ok, after a bit of digging, not only do the instructions for the NORDUnet filter not reflect the latest version of Crowd, but the code itself builds against an older version of Spring Security & Crowd. There appear to be some quite big changes in Spring Security, so it looks like the NORDUnet filter has been left behind. Hmm. Still "portable & upgradable"? I wonder... More digging required!
I've just followed the instructions for installing the NORDUnet filter into the latest version of Crowd, and found that the instructions no longer appear to reflect the latest version of Crowd 
I've tinkered, but I haven't been able to get it run
Steve Moitozo
added a comment - Juhani,
I'm in the process of setting up to use your plugin but I'm not sure what is necessary for producing the necessary jar for installation into Crowd. Do I need to setup the Atlassian Plugin SDK in order to build the code and produce the jar?
Steve Moitozo
added a comment - Juhani,
I'm in the process of setting up to use your plugin but I'm not sure what is necessary for producing the necessary jar for installation into Crowd. Do I need to setup the Atlassian Plugin SDK in order to build the code and produce the jar? 
Leon Kolchinsky
added a comment - Thanks for your insight Dave
It's clear now.
Cheers,
Leon 
David O'Flynn [Atlassian]
added a comment - Hi Dan, Leon,
I'm afraid we don't have the expertise to help with Shibboleth implementations. Particularly in the case of interoperability issues; that's why we've never supported it in the past.
We've worked with juhani and his team to guide their implementation and make sure it's portable & upgradable. They have a far deeper understanding of Shib than we do. So, we think you'll actually get a better experience by using the Eduix connector and working with them to improve and maintain it.
That's a rather long way of saying "we're not going to support it ourselves because we don't think we can do a better job than Eduix and the Shibboleth community" 
Cheers,
Dave.
David O'Flynn [Atlassian]
added a comment - Hi Dan, Leon,
I'm afraid we don't have the expertise to help with Shibboleth implementations. Particularly in the case of interoperability issues; that's why we've never supported it in the past.
We've worked with juhani and his team to guide their implementation and make sure it's portable & upgradable. They have a far deeper understanding of Shib than we do. So, we think you'll actually get a better experience by using the Eduix connector and working with them to improve and maintain it.
That's a rather long way of saying "we're not going to support it ourselves because we don't think we can do a better job than Eduix and the Shibboleth community"
Cheers,
Dave. Leon Kolchinsky
added a comment - Hi,
I also think that this should be incorporated in CROWD or at least be supported by Atlassian.
This plugin would break in the next versions of CROWD if not supported.
I think there is a reasonable interest from many people/organization especially Universities.
We'd definitely go for it even if it was a paid plugin.
Any chance to reconsider this decision David?
Leon Kolchinsky
added a comment - Hi,
I also think that this should be incorporated in CROWD or at least be supported by Atlassian.
This plugin would break in the next versions of CROWD if not supported.
I think there is a reasonable interest from many people/organization especially Universities.
We'd definitely go for it even if it was a paid plugin.
Any chance to reconsider this decision David? 
Dan Hawke
added a comment - It does remain a concern for us here that this isn't really 'supported' it's still a third-party plugin and not subject to the same licensing that we already get from Atlassian, and not being developed by you, what happens when something goes wrong with it? I would feel better if Shibboleth was actually supported by you - even if it isn't solely developed by you.
Dan Hawke
added a comment - It does remain a concern for us here that this isn't really 'supported' it's still a third-party plugin and not subject to the same licensing that we already get from Atlassian, and not being developed by you, what happens when something goes wrong with it? I would feel better if Shibboleth was actually supported by you - even if it isn't solely developed by you. David O'Flynn [Atlassian]
added a comment - Hi folks,
Juhani and Eduix have provided Shibboleth support for Crowd - see the link above. As they've done a great job, we're not going to duplicate their work. If you need Shib support, we suggest their solution.
Cheers,
Dave.
David O'Flynn [Atlassian]
added a comment - Hi folks,
Juhani and Eduix have provided Shibboleth support for Crowd - see the link above. As they've done a great job, we're not going to duplicate their work. If you need Shib support, we suggest their solution.
Cheers,
Dave. 
Stefan Liström
added a comment - Hello all
For those who have not found it already you can get the code Eduix developed from the NORDUnet wiki:
https://wiki.nordu.net/display/NORDUwiki/Crowd+Shibboleth+Module
Best regards
Stefan
Stefan Liström
added a comment - Hello all
For those who have not found it already you can get the code Eduix developed from the NORDUnet wiki:
https://wiki.nordu.net/display/NORDUwiki/Crowd+Shibboleth+Module
Best regards
Stefan Leon Kolchinsky
added a comment - Hello Juhani Gurney,
My University is also interested in the work you did - "Shibboleth plugin for Crowd".
Can you provide us with code access and some docs?
What version of CROWD it's compatible with?
Cheers,
Leon Kolchinsky
Leon Kolchinsky
added a comment - Hello Juhani Gurney,
My University is also interested in the work you did - "Shibboleth plugin for Crowd".
Can you provide us with code access and some docs?
What version of CROWD it's compatible with?
Cheers,
Leon Kolchinsky 
Alexei K
added a comment - Hello,
Is there any progress on this, to us, ability of Crowd to support Shibboleth would be the key factor in whether we buy it or not.
We are currently evaluating crowd and is this plugin available from somewhere so we could try it?
Thank you for your time.
Cheers,
Alexei
Alexei K
added a comment - Hello,
Is there any progress on this, to us, ability of Crowd to support Shibboleth would be the key factor in whether we buy it or not.
We are currently evaluating crowd and is this plugin available from somewhere so we could try it?
Thank you for your time.
Cheers,
Alexei 
Juhani Gurney
added a comment - Answers to questions from Jeff and Vladimir:
1) Once you sign into a CrowdShib-enabled application (say, Confluence), you're signed on via Shibboleth, so you'll get SSO to a non-Crowd-integrated Shibboleth-using application as well.
Yes.
2) If you're already logged into Shibboleth, you'll get SSO into CrowdShib-enabled applications too, automatically.
Yes.
3) If doing a Shibboleth login on a Crowd-enabled confluence: would that mean creating a new account in Crowd based on the Shibboleth attributes received?
Yes (if the user doesn't exist). Users are created in a Crowd directory. Confluence then gets all the user/group information from Crowd with the normal Confluence-Crowd integration. Confluence isn't even aware of Shibboleth.
Currently we don't have a public project page for this. I will look into creating one with the customer (NORDUnet) asap.
Cheers,
Juhani
Juhani Gurney
added a comment - Answers to questions from Jeff and Vladimir:
1) Once you sign into a CrowdShib-enabled application (say, Confluence), you're signed on via Shibboleth, so you'll get SSO to a non-Crowd-integrated Shibboleth-using application as well.
Yes.
2) If you're already logged into Shibboleth, you'll get SSO into CrowdShib-enabled applications too, automatically.
Yes.
3) If doing a Shibboleth login on a Crowd-enabled confluence: would that mean creating a new account in Crowd based on the Shibboleth attributes received?
Yes (if the user doesn't exist). Users are created in a Crowd directory. Confluence then gets all the user/group information from Crowd with the normal Confluence-Crowd integration. Confluence isn't even aware of Shibboleth.
Currently we don't have a public project page for this. I will look into creating one with the customer (NORDUnet) asap.
Cheers,
Juhani Hi,
I'll chip in another question: if doing a Shibboleth login on a Crowd-enabled confluence: would that mean creating a new account in Crowd based on the Shibboleth attributes received? Is there a link to the Crowd-Shib project? And how that would work for an application using Crowd?
Cheers,
Vladimir
Jeff Mitchell
added a comment - This sounds fantastic.
One question: you say that Crowd handles the SSO for the Crowd-enabled applications. I assume, however, that the following two bits are true...can you verify?
1) Once you sign into a CrowdShib-enabled application (say, Confluence), you're signed on via Shibboleth, so you'll get SSO to a non-Crowd-integrated Shibboleth-using application as well.
2) If you're already logged into Shibboleth, you'll get SSO into CrowdShib-enabled applications too, automatically.
Thanks!
Jeff Mitchell
added a comment - This sounds fantastic.
One question: you say that Crowd handles the SSO for the Crowd-enabled applications. I assume, however, that the following two bits are true...can you verify?
1) Once you sign into a CrowdShib-enabled application (say, Confluence), you're signed on via Shibboleth, so you'll get SSO to a non-Crowd-integrated Shibboleth-using application as well.
2) If you're already logged into Shibboleth, you'll get SSO into CrowdShib-enabled applications too, automatically.
Thanks! Juhani Gurney
added a comment - Hi Gary and all,
We have indeed written an Shibboleth plugin for Crowd. It was developed for NORDUnet and has been running in production for a couple of months now. The idea is pretty much the same than in the Confluence Shibboleth Authenticator. Basically it works in the following way:
1) Crowd is integrated with Atlassian apps (Confluence and Jira in this case) and some other custom applications also. It is providing the SSO and group information to applications and of course letting us do authorization decisions on who can use a specific application.
2) Crowd is protected by Shibboleth SP in the same way that you would do with Confluence and the Shibboleth Autenticator. So we have created a Crowd filter to handle users authenticated by Shib.
3) When a user accesses a Crowd protected resource in e.g. Confluence the Crowd Authenticator will send the user to Crowd for login. We needed to to a slight modification to the Crowd Authenticators for Confluence and Jira so that they redirect to Crowd for login instead of showing the Confluence/Jira login screen (by default they would show the app login screen and authenticate to Crowd in the background). Now, when a user is sent to Crowd the Apache Shib module will intercept the request and do all the Shib magic that you would configure. After a successful login at and IDP the user is sent back to Crowd where our login filter kicks in and creates/updates a user to a directory based on the information set by Shib module. We can add/synchronize a user to a certain directory and groups based on the attributes set by Shib.
4) When user/creation updating in Crowd is done the user is redirected to the original URL requested. Actually, the user isn't even aware of Crowd existing (except seen the URL briefly in the browser status bar).
5) Admins can use Crowd to manage groups, access to apps and which groups are visible to a specific app.
So, the cool stuff in a nutshell:
- We only need to shibbolize Crowd, after which a user gets a Crowd managed SSO session to all the integrated applications
- We can configure group mappings based on user attributes, for instance, people from a certain home organization can end up in their own group. Currently the mapping is done by a properties file but we are looking to create a custom UI in Crowd where you can manage this dynamically
- Previously we used LDAP for Confluence (authentication and groups) and Jira (authentication). After Crowd/Shib integration the username format changed so we decided to create a "Claim account" service with which an IDP authenticated user could claim his existing account. This functionality copied the existing group information from LDAP and Jira to the new user in a Crowd directory and then set his old username as an alias for Confluence and Jira. This means that we did not need to do any account renaming in Confluence and Jira databases!
There's much more and we have a lot of ideas for future development. Currently NORDUnet is working on the licensing details and open sourcing it. After this is done the plugin and more information will be available. It is fairly safe for me to say that the plugin will be free for non-profit organizations.
Until this I'm happy to answer any questions. It will be great if other people are interested in participating in the development work!
Cheers,
Juhani
Juhani Gurney
added a comment - Hi Gary and all,
We have indeed written an Shibboleth plugin for Crowd. It was developed for NORDUnet and has been running in production for a couple of months now. The idea is pretty much the same than in the Confluence Shibboleth Authenticator. Basically it works in the following way:
1) Crowd is integrated with Atlassian apps (Confluence and Jira in this case) and some other custom applications also. It is providing the SSO and group information to applications and of course letting us do authorization decisions on who can use a specific application.
2) Crowd is protected by Shibboleth SP in the same way that you would do with Confluence and the Shibboleth Autenticator. So we have created a Crowd filter to handle users authenticated by Shib.
3) When a user accesses a Crowd protected resource in e.g. Confluence the Crowd Authenticator will send the user to Crowd for login. We needed to to a slight modification to the Crowd Authenticators for Confluence and Jira so that they redirect to Crowd for login instead of showing the Confluence/Jira login screen (by default they would show the app login screen and authenticate to Crowd in the background). Now, when a user is sent to Crowd the Apache Shib module will intercept the request and do all the Shib magic that you would configure. After a successful login at and IDP the user is sent back to Crowd where our login filter kicks in and creates/updates a user to a directory based on the information set by Shib module. We can add/synchronize a user to a certain directory and groups based on the attributes set by Shib.
4) When user/creation updating in Crowd is done the user is redirected to the original URL requested. Actually, the user isn't even aware of Crowd existing (except seen the URL briefly in the browser status bar).
5) Admins can use Crowd to manage groups, access to apps and which groups are visible to a specific app.
So, the cool stuff in a nutshell:
We only need to shibbolize Crowd, after which a user gets a Crowd managed SSO session to all the integrated applications
We can configure group mappings based on user attributes, for instance, people from a certain home organization can end up in their own group. Currently the mapping is done by a properties file but we are looking to create a custom UI in Crowd where you can manage this dynamically
Previously we used LDAP for Confluence (authentication and groups) and Jira (authentication). After Crowd/Shib integration the username format changed so we decided to create a "Claim account" service with which an IDP authenticated user could claim his existing account. This functionality copied the existing group information from LDAP and Jira to the new user in a Crowd directory and then set his old username as an alias for Confluence and Jira. This means that we did not need to do any account renaming in Confluence and Jira databases!
There's much more and we have a lot of ideas for future development. Currently NORDUnet is working on the licensing details and open sourcing it. After this is done the plugin and more information will be available. It is fairly safe for me to say that the plugin will be free for non-profit organizations.
Until this I'm happy to answer any questions. It will be great if other people are interested in participating in the development work!
Cheers,
Juhani David O'Flynn [Atlassian]
added a comment - Hi Gary,
Eduix (an Atlassian partner in Finland) have integrated Crowd with Shibboleth and deployed it for NORDUnet. I believe they're planning to OSS the work, though I don't know that there's a timetable for this.
I'll ask them to comment on this issue.
Cheers,
Dave.
Product Manager
David O'Flynn [Atlassian]
added a comment - Hi Gary,
Eduix (an Atlassian partner in Finland) have integrated Crowd with Shibboleth and deployed it for NORDUnet. I believe they're planning to OSS the work, though I don't know that there's a timetable for this.
I'll ask them to comment on this issue.
Cheers,
Dave.
Product Manager 
Gary Weaver
added a comment - With embedded Crowd in Confluence 3.5+, how is that going to jive with Shibboleth? I'm not sure whether we want to continue with the Confluence Shibboleth Authenticator and mess with the CrowdService instance, or to instead focus effort on just integrating Crowd with Shibboleth.
There is also:
http://jira.atlassian.com/browse/CWD-1389
http://confluence.atlassian.com/display/DEVNET/Crowd+Shibboleth+Authenticator (non-existant as of 2011-01-25 it seems?)
http://shibboleth.1660669.n2.nabble.com/Atlassian-Crowd-Shibboleth-td5322831.html
Gary Weaver
added a comment - With embedded Crowd in Confluence 3.5+, how is that going to jive with Shibboleth? I'm not sure whether we want to continue with the Confluence Shibboleth Authenticator and mess with the CrowdService instance, or to instead focus effort on just integrating Crowd with Shibboleth.
There is also:
http://jira.atlassian.com/browse/CWD-1389
http://confluence.atlassian.com/display/DEVNET/Crowd+Shibboleth+Authenticator (non-existant as of 2011-01-25 it seems?)
http://shibboleth.1660669.n2.nabble.com/Atlassian-Crowd-Shibboleth-td5322831.html 
dan pritts
added a comment - Probably the folks on this bug know this already, but for those finding the page via google, see: http://www.federation.org.au/twiki/bin/view/Federation/ShibJira
dan pritts
added a comment - Probably the folks on this bug know this already, but for those finding the page via google, see: http://www.federation.org.au/twiki/bin/view/Federation/ShibJira 
Stephen Walsh
added a comment - Not sure if this comment is on the right Issue for this request, it's filed under Crowd, but contains feature requests for Jira.
Having Shibboleth support in Crowd would be a great feature. Most Australian Universties are in the process of federating into the the Australian Access Federation. "The Australian Access Federation provides the means of allowing a participating institution and/or a service provider to trust the information it receives from another participating institution", and uses Shibboleth as it's backend. Having the ability to shibbolize crowd makes temporary account support trivial for institutions that are Identity Providers (IdP), and would remove a major blocker for adoption of crowd in the Tertiary education sector.
Stephen Walsh
added a comment - Not sure if this comment is on the right Issue for this request, it's filed under Crowd, but contains feature requests for Jira.
Having Shibboleth support in Crowd would be a great feature. Most Australian Universties are in the process of federating into the the Australian Access Federation. "The Australian Access Federation provides the means of allowing a participating institution and/or a service provider to trust the information it receives from another participating institution", and uses Shibboleth as it's backend. Having the ability to shibbolize crowd makes temporary account support trivial for institutions that are Identity Providers (IdP), and would remove a major blocker for adoption of crowd in the Tertiary education sector. 
Mick Flanigan
added a comment - We could really use JIRA auth with Shib in the near future, and kerberos as an interim solution.
Mick Flanigan
added a comment - We could really use JIRA auth with Shib in the near future, and kerberos as an interim solution. 
Jameson Watkins
added a comment - Gary, when you say that you made some mods to the code to get it to work, are you referring to getting JIRA to work with Shib, or Confluence? We're really interested in JIRA as a product if we can use Shib with it. Thanks.
Jameson Watkins
added a comment - Gary, when you say that you made some mods to the code to get it to work, are you referring to getting JIRA to work with Shib, or Confluence? We're really interested in JIRA as a product if we can use Shib with it. Thanks. Gary Weaver
added a comment - Moved to Atlassian contrib repository yesterday at http://confluence.atlassian.com/display/CONFEXT/Shibboleth+Authenticator+for+Confluence
Gary Weaver
added a comment - Moved to Atlassian contrib repository yesterday at http://confluence.atlassian.com/display/CONFEXT/Shibboleth+Authenticator+for+Confluence Gary Weaver
added a comment - Attached is a more recent version of the Confluence RemoteAuthenticator that is used as part of shibbolization along with the other stuff needed as mentioned in https://spaces.internet2.edu/display/SHIB/ShibbolizedConfluence . Again, this is for confluence not Jira, but it is a start.
In addition, posting a comment to https://spaces.internet2.edu/display/SHIB/ShibbolizedConfluence though is probably the best way to find people that might be interested in testing any Jira shibbolized authenticator (since setting up Shib can be a royal pain). The primary contacts there are Scott Cantor (at Ohio State who is on Internet2 team), Chad LaJoie (of Georgetown University who wrote the original authenticator), and myself (I just jumped through the last hoops, made some mods to the code which I've attached to this ticket, and added to the documentation what we had to do to get it to work).
Gary Weaver
added a comment - Attached is a more recent version of the Confluence RemoteAuthenticator that is used as part of shibbolization along with the other stuff needed as mentioned in https://spaces.internet2.edu/display/SHIB/ShibbolizedConfluence . Again, this is for confluence not Jira, but it is a start.
In addition, posting a comment to https://spaces.internet2.edu/display/SHIB/ShibbolizedConfluence though is probably the best way to find people that might be interested in testing any Jira shibbolized authenticator (since setting up Shib can be a royal pain). The primary contacts there are Scott Cantor (at Ohio State who is on Internet2 team), Chad LaJoie (of Georgetown University who wrote the original authenticator), and myself (I just jumped through the last hoops, made some mods to the code which I've attached to this ticket, and added to the documentation what we had to do to get it to work). Gary Weaver
added a comment - Note that this has been done for Confluence already. Maybe Jira authentication is similar?:
https://spaces.internet2.edu/display/SHIB/ShibbolizedConfluence
Gary Weaver
added a comment - Note that this has been done for Confluence already. Maybe Jira authentication is similar?:
https://spaces.internet2.edu/display/SHIB/ShibbolizedConfluence
There appears to be a newer version (that claims to work with 2.7) located at https://github.com/Eduix/crowd-shibboleth-module. I posted my URL answer there, but in case it get removed I will post here. I had to check out the login button at the nordu site itself to figure this out.
You set the login.url property in the seraph-config.xml file to http://YourServerName:8095/crowd/plugins/servlet/ssocookie?redirectTo=${originalurl}