Setting up Bamboo with Crowd using SSO

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

目的

This Knowledge Base Article provides you with a quick tutorial on what is necessary to set up Single Sign-On (SSO) authentication between Bamboo and Crowd.

注意

This tutorial will follow Example 1 in Overview of SSO - https://confluence.atlassian.com/x/HR6yCg

Example 1: If you wish to have single sign-on (SSO) support for *.mydomain.com, you will need to configure the SSO domain in Crowd as .mydomain.com — including the full stop ('.') at the beginning. All your Crowd-connected applications must be in the same domain. For example:

要約

Setting up Apache

Please, find below a sample configuration in Apache setting up a VirtualHost for each of the application:

Crowd

Bamboo

<VirtualHost *:80>
    ServerName crowd.mydomain.com
     
    ErrorLog /etc/apache2/logs/crowd-error.log
    CustomLog /etc/apache2/logs/crowd-access.log combined
 
    ProxyRequests Off
    ProxyPreserveHost On
    <Proxy *>
       Order deny,allow
       Allow from all
    </Proxy>
 
    ProxyPass / http://localhost:8095/
    ProxyPassReverse / http://localhost:8095/
</VirtualHost>
<VirtualHost *:80>
    ServerName bamboo.mydomain.com
     
    ErrorLog /etc/apache2/logs/bamboo-error.log
    CustomLog /etc/apache2/logs/bamboo-access.log combined
 
    ProxyRequests Off
    ProxyPreserveHost On
    <Proxy *>
       Order deny,allow
       Allow from all
    </Proxy>
 
    ProxyPass / http://localhost:8085/
    ProxyPassReverse / http://localhost:8085/
</VirtualHost>


Setting up Crowd

Lets remove context path from Crowd by following Removing the 'crowd' Context from the Application URL - https://confluence.atlassian.com/x/uAVODQ

To remove the /crowd part from the URL:

  1. In <crowd-install>/build.properties set the crowd.url variable to the following:

    # Crowd context root
    crowd.url=http://localhost:8095/
    

    Since you already know the DNS Crowd will be using, you can simply replace crowd.url with http://crowd.mydomain.com

  2. Run <crowd-install>/build.sh (UNIX) or <crowd-install>\build.bat (Windows).

  3. Change your <crowd-install>/apache-tomcat/conf/server.xml file to have the following Host section configuration

    <Engine defaultHost="localhost" name="Catalina">
         <Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true">
               <Context path="" docBase="../../crowd-webapp" debug="0">
                     <Manager pathname="" />
               </Context>
         </Host>
    </Engine>
    
  4. Perform a backup of the crowd.xml file in <crowd-install>/apache-tomcat/conf/Catalina/localhost to another directory.

  5. From <crowd-install>/apache-tomcat/conf/Catalina/localhost, remove the crowd.xml file to prevent Tomcat from loading the /crowd context.

  6. Append proxyName and proxyPort to <crowd-install>/apache-tomcat/conf/server.xml as per following:

    <Connector URIEncoding="UTF-8"
        acceptCount="100"
        compressableMimeType="text/html,text/xml,application/xml,text/plain,text/css,application/json,application/javascript,application/x-javascript"
        compression="on"
        connectionTimeout="20000"
        disableUploadTimeout="true"
        enableLookups="false"
        maxHttpHeaderSize="8192"
        maxThreads="150"
        minSpareThreads="25"
        port="8095"
        redirectPort="8443"
        sendReasonPhrase="true"
        useBodyEncodingForURI="true"
        proxyName="crowd.mydomain.com"
        proxyPort="80"
        />
    

Changes in Crowd's UI

 
After the restart, in the Server Settings screen, change the base URL to http://crowd.mydomain.com and add .mydomain.com in SSO domain.

Take note of SSO cookie name as this will be used later in Bamboo's configuration, appending attribute to crowd.properties


Create a group in Crowd called bamboo-admin

 
Create a user in Crowd that will have access to Bamboo


Grant membership this users by assigning it to bamboo-admin

Creating an Application in Crowd to be consumed by Bamboo

In case the information below does not cover the necessary steps to create an application, please refer to our official documentation on Adding an Application - https://confluence.atlassian.com/x/h4AbAQ


For simplicity, create a Bamboo application with:

  • Application name as bamboo
  • Application password as bamboo

 
Provide Bamboo's URL (http://bamboo.mydomain.com) and resolve its IP address


Select the the directories you are going to let this application use for authentication and authorisation.

 
Allow all user to authenticate and finish up by Add application in following screen.

Setting up Bamboo

Setting up proxy

Append proxyName and proxyPort to <bamboo-install>/conf/server.xml as per following:

<Connector
    protocol="HTTP/1.1"
    port="8085"
 
    maxThreads="150" minSpareThreads="25"
    connectionTimeout="20000"
    disableUploadTimeout="true"
    acceptCount="100"
 
    enableLookups="false"
    maxHttpHeaderSize="8192"
 
    useBodyEncodingForURI="true"
    URIEncoding="UTF-8"
 
    redirectPort="8443"
     
    proxyName="bamboo.mydomain.com"
    proxyPort="80"
    />

Changes in Bamboo's UI

Lets set up Bamboo to authenticate against Crowd

  1. go to Bamboo administration >> Overview >> Security >> User repositories
  2. select Users and groups from JIRA or Crowd

    サーバー URL

    http://crowd.mydomain.com

    アプリケーション名

    bamboo

    Application password

    bamboo

crowd.properties in Bamboo

application.name                        bamboo
# application.password                    bamboo
application.login.url                   http://localhost:8095/crowd/console/
 
crowd.server.url                        http://localhost:8095/crowd/services/
 
session.isauthenticated                 session.isauthenticated
session.tokenkey                        session.tokenkey
session.validationinterval              2
session.lastvalidation                  session.lastvalidation
 
bamboo.crowd.cache.minutes              60

Above is the representation of crowd.properties located under <bamboo-home>/xml-data/configuration in a vanilla Bamboo instance

#Wed Mar 14 14:24:19 BRT 2018
session.lastvalidation=session.lastvalidation
session.tokenkey=session.tokenkey
crowd.server.url=http\://localhost\:8095/crowd/services/
application.name=bamboo
crowd.base.url=http\://crowd.mydomain.com
session.isauthenticated=session.isauthenticated
application.login.url=http\://localhost\:8095/crowd/console/
session.validationinterval=2
bamboo.crowd.cache.minutes=1
application.password=bamboo

And this is the representation of the same file when setting up Crowd as authentication method through Bamboo administration >> Overview >> Security >> User repositories

Both configuration settings (tab or equals sign separator) are valid and can be read by Bamboo.


Enabling SSO in Bamboo

Lets enable SSO in Bamboo by following Integrating Bamboo with Crowd - https://confluence.atlassian.com/x/IQU_EQ

To enable single sign-on (SSO), you will configure Bamboo's authentication and access request calls to use Seraph. To configure Seraph-based authentication:

  1. Bamboo をシャットダウンします。
  2. Edit the <bamboo-install>/atlassian-bamboo/WEB-INF/classes/seraph-config.xml
  3. Comment out the authenticator node

    <!--<authenticator class="com.atlassian.bamboo.user.authentication.BambooAuthenticator"/>-->
    
  4. Uncomment the following tag

    <authenticator class="com.atlassian.crowd.integration.seraph.v25.BambooAuthenticator"/>
    
  5. Append the following property to <bamboo-home>/xml-data/configuration/crowd.properties as this is the value provided in Crowd under Single Sing-On cookie settings >> SSO cookie name.

    cookie.tokenkey=crowd.token_key
    


    Please, follow the pattern used by the current crowd.properties configuration file. If the same is described by having equals sign as separator, the above mentioned should be appended. Otherwise, replace equals sign with tab instead.

  6. Start Bamboo. Bamboo's authentication and access request calls will now be performed using Seraph.

トラブルシューティング

While following this Knowledge Base Article you may come across the following known issue(s):

最終更新日 2019 年 7 月 9 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.