Uploaded image for project: 'Jira Service Management Data Center'
  1. Jira Service Management Data Center
  2. JSDSERVER-1244

Create a Crowd SSO authenticator that will allow Customers to be authenticated from the local directory

    • 17
    • 94
    • We collect Jira Service Desk feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      NOTE: This suggestion is for Jira Service Management Data Center. Using Jira Service Management Cloud? See the corresponding suggestion.

      How to configure JSD and Crowd SSO

      If you use Atlassian Crowd and its single sign-on (SSO) capabilities to manage users:

      • In order for public signup to work, in JIRA, set the Crowd permission to be Read/Write. To do this, go to User management > User directories.
      • When configuring who can authenticate to JIRA via Crowd, if you have customers that do not belong to groups, make sure you select the setting that allows all users in the directory to authenticate. See Mapping a Directory to an Application.

      For more information, please read: Managing customers

      Crowd Licensing

      Atlassian Crowd is a separate product and therefore if you wish to use Crowd for SSO, you will need to purchase a Crowd license that is large enough for your user base. Customers in JIRA Service Desk, while free in JIRA Service Desk, will consume a license in Crowd.

      When you enable Crowd SSO for JIRA, you will only be able to authenticate as users from the Crowd server and users from the internal JIRA directory can’t authenticate to access JIRA. This means both paid JIRA users, agents and free JIRA Service Desk customers need to be users in Crowd.

      It’d be useful to create a new authenticator that knows about JIRA Service Desk Customers in the internal JIRA directory and authenticate them differently from JIRA users.

      Such a change would require changes to Crowd, JIRA and JIRA Service Desk. There are currently no plans to undertake this work in the next 6-12 months. If you are interested in this feature, please watch, vote and add a comment with your specific use case.

          Form Name

            [JSDSERVER-1244] Create a Crowd SSO authenticator that will allow Customers to be authenticated from the local directory

            This is also affecting me. However, it seems that if I put the Jira internal directory first in the list of directories, then JSD creates the new user locally in the Jira directory and not in Crowd. This is a sufficient workaround for me.

            Vick Khera added a comment - This is also affecting me. However, it seems that if I put the Jira internal directory first in the list of directories, then JSD creates the new user locally in the Jira directory and not in Crowd. This is a sufficient workaround for me.

            I replaced the crowd with the keycloak.

            Ultra Profissionais added a comment - I replaced the crowd with the keycloak.

            Brian added a comment -

            This insane licensing scheme for Jira Service Desk when using Crowd is a megamonstrous nail in the Crowd coffin, but, hey Atlassian - it's your own choice to make   

            Brian added a comment - This insane licensing scheme for Jira Service Desk when using Crowd is a megamonstrous nail in the Crowd coffin, but, hey Atlassian - it's your own choice to make   

            Let me just add one more vote to this. With JSD and public signups enabled, using Crowd for authentication with anything other than the unrestricted user license opens us up to really simple denial-of-service attacks simply by registering a couple of accounts in JSD, thereby blocking new customer signups once the Crowd license hits its limit. 

            Customers don't see Crowd as a single product; it's a piece of glue to tie other Atlassian applications together. Requiring a $10k+ license to enable proper SSO-based authentication for those products is insane from a business perspective. 

            Maarten Vink added a comment - Let me just add one more vote to this. With JSD and public signups enabled, using Crowd for authentication with anything other than the unrestricted user license opens us up to really simple denial-of-service attacks simply by registering a couple of accounts in JSD, thereby blocking new customer signups once the Crowd license hits its limit.  Customers don't see Crowd as a single product; it's a piece of glue to tie other Atlassian applications together. Requiring a $10k+ license to enable proper SSO-based authentication for those products is insane from a business perspective. 

            This issue will hit five (5) years. I don't think Atlassian will change it's mind on customers licensing with Crowd. The solution here will be to ditch Crowd completelly.

            Vinícius Ferrão added a comment - This issue will hit five (5) years. I don't think Atlassian will change it's mind on customers licensing with Crowd. The solution here will be to ditch Crowd completelly.

            Hi, I think the same as Mohammed Amine.

            Today I'm using keycloak as a customer manager, but sticking with the crowd managing operators and another system to manage customers is not feasible.

            I am seriously considering migrating everything to keycloak and leaving the crowd.

            I would prefer to get everything on a single platform from the same manufacturer, but if it is not possible, I am evaluating this migration.

            Ultra Profissionais added a comment - Hi, I think the same as Mohammed Amine. Today I'm using keycloak as a customer manager, but sticking with the crowd managing operators and another system to manage customers is not feasible. I am seriously considering migrating everything to keycloak and leaving the crowd. I would prefer to get everything on a single platform from the same manufacturer, but if it is not possible, I am evaluating this migration.

            M Amine added a comment -

            It is really a must have. A client with 50 agents cannot pay for 500 clients ! Moreover if his customer base is growing it is really difficult to explain that he has to buy more licences for customers. No other service desk application is doing that. Please consider this suggestion urgency. 

            M Amine added a comment - It is really a must have. A client with 50 agents cannot pay for 500 clients ! Moreover if his customer base is growing it is really difficult to explain that he has to buy more licences for customers. No other service desk application is doing that. Please consider this suggestion urgency. 

            Someone should take this issue serious...

            Florian Reichl added a comment - Someone should take this issue serious...

            Our organization just rolled out the service desk product on the premise that it would allow customers to submit requests w/out consuming our developer licenses in Jira, and while this is sort of true, since they are managed through Crowd this is not the case, this became apparent and painful to see as our Crowd licenses were unknowingly being consumed as new customers were signing up and consuming these licenses, as it stands we have 1 seat left after a day of release and to find this issue (which has been around for several years it seems is disheartening).  Please remove the dependency that customer accounts consume Crowd licenses, it is urgently needed and this will no doubt damage my advocacy of Atlassian products in my organization.

            James McPherson added a comment - Our organization just rolled out the service desk product on the premise that it would allow customers to submit requests w/out consuming our developer licenses in Jira, and while this is sort of true, since they are managed through Crowd this is not the case, this became apparent and painful to see as our Crowd licenses were unknowingly being consumed as new customers were signing up and consuming these licenses, as it stands we have 1 seat left after a day of release and to find this issue (which has been around for several years it seems is disheartening).  Please remove the dependency that customer accounts consume Crowd licenses, it is urgently needed and this will no doubt damage my advocacy of Atlassian products in my organization.

            We've read in the latest Crowd release notes for 3.4 "We’re proud to present you SSO 2.0 - Crowd’s single point of access for Jira, Jira Service Desk, Bitbucket, and Confluence across different domains with one common login page." so I think that will stop the MIDAN Authenticator work around from being viable.
            Our answer may be to go to the DC versions of the other products and use ADFS for SSO. As we can put as many customers as we want into AD and/or the local directory we may just have to drop crowd all together.

            Damian Wheeler (Otago) added a comment - We've read in the latest Crowd release notes for 3.4 "We’re proud to present you SSO 2.0 - Crowd’s single point of access for Jira, Jira Service Desk, Bitbucket, and Confluence across different domains with one common login page ." so I think that will stop the MIDAN Authenticator work around from being viable. Our answer may be to go to the DC versions of the other products and use ADFS for SSO. As we can put as many customers as we want into AD and/or the local directory we may just have to drop crowd all together.

              Unassigned Unassigned
              ezhang Ed Zhang (Automation)
              Votes:
              289 Vote for this issue
              Watchers:
              185 Start watching this issue

                Created:
                Updated: