-
Suggestion
-
Resolution: Unresolved
-
None
-
17
-
94
-
NOTE: This suggestion is for Jira Service Management Data Center. Using Jira Service Management Cloud? See the corresponding suggestion.
If you use Atlassian Crowd and its single sign-on (SSO) capabilities to manage users:
- In order for public signup to work, in JIRA, set the Crowd permission to be Read/Write. To do this, go to User management > User directories.
- When configuring who can authenticate to JIRA via Crowd, if you have customers that do not belong to groups, make sure you select the setting that allows all users in the directory to authenticate. See Mapping a Directory to an Application.
For more information, please read: Managing customers
Atlassian Crowd is a separate product and therefore if you wish to use Crowd for SSO, you will need to purchase a Crowd license that is large enough for your user base. Customers in JIRA Service Desk, while free in JIRA Service Desk, will consume a license in Crowd.
When you enable Crowd SSO for JIRA, you will only be able to authenticate as users from the Crowd server and users from the internal JIRA directory can’t authenticate to access JIRA. This means both paid JIRA users, agents and free JIRA Service Desk customers need to be users in Crowd.
It’d be useful to create a new authenticator that knows about JIRA Service Desk Customers in the internal JIRA directory and authenticate them differently from JIRA users.
Such a change would require changes to Crowd, JIRA and JIRA Service Desk. There are currently no plans to undertake this work in the next 6-12 months. If you are interested in this feature, please watch, vote and add a comment with your specific use case.
- blocks
-
- Closed
- is blocked by
-
- Gathering Interest
- is duplicated by
-
JSDSERVER-1720 Customers Cannot Login with SSO Enabled
-
- Closed
-
- relates to
-
-
- Closed
-
-
- Closed
-
- Closed
-
- Closed
-
- Reviewing
-
SDS-33045 Loading...
-
-
-
- links to
- mentioned in
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[JSDSERVER-1244] Create a Crowd SSO authenticator that will allow Customers to be authenticated from the local directory
This insane licensing scheme for Jira Service Desk when using Crowd is a megamonstrous nail in the Crowd coffin, but, hey Atlassian - it's your own choice to make 
Let me just add one more vote to this. With JSD and public signups enabled, using Crowd for authentication with anything other than the unrestricted user license opens us up to really simple denial-of-service attacks simply by registering a couple of accounts in JSD, thereby blocking new customer signups once the Crowd license hits its limit.
Customers don't see Crowd as a single product; it's a piece of glue to tie other Atlassian applications together. Requiring a $10k+ license to enable proper SSO-based authentication for those products is insane from a business perspective.
This issue will hit five (5) years. I don't think Atlassian will change it's mind on customers licensing with Crowd. The solution here will be to ditch Crowd completelly.
Hi, I think the same as Mohammed Amine.
Today I'm using keycloak as a customer manager, but sticking with the crowd managing operators and another system to manage customers is not feasible.
I am seriously considering migrating everything to keycloak and leaving the crowd.
I would prefer to get everything on a single platform from the same manufacturer, but if it is not possible, I am evaluating this migration.
It is really a must have. A client with 50 agents cannot pay for 500 clients ! Moreover if his customer base is growing it is really difficult to explain that he has to buy more licences for customers. No other service desk application is doing that. Please consider this suggestion urgency.
James McPherson
added a comment - Our organization just rolled out the service desk product on the premise that it would allow customers to submit requests w/out consuming our developer licenses in Jira, and while this is sort of true, since they are managed through Crowd this is not the case, this became apparent and painful to see as our Crowd licenses were unknowingly being consumed as new customers were signing up and consuming these licenses, as it stands we have 1 seat left after a day of release and to find this issue (which has been around for several years it seems is disheartening). Please remove the dependency that customer accounts consume Crowd licenses, it is urgently needed and this will no doubt damage my advocacy of Atlassian products in my organization.
James McPherson
added a comment - Our organization just rolled out the service desk product on the premise that it would allow customers to submit requests w/out consuming our developer licenses in Jira, and while this is sort of true, since they are managed through Crowd this is not the case, this became apparent and painful to see as our Crowd licenses were unknowingly being consumed as new customers were signing up and consuming these licenses, as it stands we have 1 seat left after a day of release and to find this issue (which has been around for several years it seems is disheartening). Please remove the dependency that customer accounts consume Crowd licenses, it is urgently needed and this will no doubt damage my advocacy of Atlassian products in my organization. We've read in the latest Crowd release notes for 3.4 "We’re proud to present you SSO 2.0 - Crowd’s single point of access for Jira, Jira Service Desk, Bitbucket, and Confluence across different domains with one common login page." so I think that will stop the MIDAN Authenticator work around from being viable.
Our answer may be to go to the DC versions of the other products and use ADFS for SSO. As we can put as many customers as we want into AD and/or the local directory we may just have to drop crowd all together.
This is also affecting me. However, it seems that if I put the Jira internal directory first in the list of directories, then JSD creates the new user locally in the Jira directory and not in Crowd. This is a sufficient workaround for me.