Currently Crowd supports centralised authentication and single sign-on for JIRA versions 3.7.4 and later.
このドキュメントがご利用の Crowd バージョンに適用されるかどうかをご確認ください
Please check the Crowd release number in this documentation against your version of Crowd. If you are using a different version of Crowd, you can find the appropriate documentation under 'Previous Versions' on the Crowd documentation homepage.
On this page:
Compatibility of JIRA and Crowd Versions
Please ensure that your Crowd and JIRA versions are compatible:
- If you are using JIRA 4.2 please upgrade to Crowd 2.0.7 or later. (watch out for Crowd 2.4 though: JRA-27890 - Getting issue details... STATUS )
- If you are using JIRA 4.3 or later, please upgrade to Crowd 2.1 or later.
Explanation: With JIRA 4.3 and higher, the communication between JIRA and Crowd has been changed from SOAP to REST.
Prerequisites
1 つの Tomcat コンテナに複数のアトラシアン アプリケーションをデプロイしないでください。
弊社では、多くの実用的な理由から、複数のアトラシアンアプリケーションを単一の Tomcat コンテナーにデプロイするサポートは行っておりません。第一に、アプリケーションをアップグレードするには Tomcat をシャットダウンする必要があります。第二に、1つのアプリケーションがクラッシュすると、その Tomcat コンテナーで実行中のその他のアプリケーションにアクセスできなくなります。
したがって、Crowd を実行する Tomcat コンテナ内に他のアプリケーションをデプロイすることは推奨されません。このような他のアプリケーションが大容量のメモリを必要としたり、Tomcat の lib
サブディレクトリ内に追加のライブラリを必要とする場合は特に推奨されません。
- Download and install Crowd. Refer to the Crowd installation guide for instructions. We will refer to the Crowd root folder as
CROWD
. - Download and install JIRA (version 3.7.4 or later). Refer to the JIRA installation guide for instructions. We will refer to the JIRA root folder as
JIRA
. For the purposes of this document, we will assume that you have used the 'Crowd distribution (not EAR-WAR)' (i.e. the easier and recommended) installation method of JIRA. If you need to install JIRA as an EAR/WAR, simply explode the EAR/WAR and make the necessary changes as described below, then repackage the EAR/WAR. - Run the JIRA Setup Wizard, as described in the JIRA documentation. During this setup process, you will define the JIRA administrator's username and password. It is easier to do this before you integrate JIRA with Crowd.
- For JIRA 4.2 or earlier: after setting up JIRA, shut down JIRA before you begin the integration process described below.
If you are using JIRA as a User Directory in any other applications such as Fisheye or Confluence these will be inaccessible while JIRA is shut down. You can avoid this by configuring these applications to use Crowd prior to integrating Crowd with JIRA.
Step 1. Configuring Crowd to talk to JIRA
1.1 Prepare Crowd's Directories/Groups/Users for JIRA
- The JIRA application will need to locate users from a directory configured in Crowd. You will need to set up a directory in Crowd for JIRA. This directory may be any Crowd-configured directory, such as an LDAP directory hooked up to Crowd or a Crowd internal directory. For information on how to do this, see Adding a Directory.
We will assume that the directory is called JIRA Directory in Crowd for the rest of this document. It is possible to assign more than one directory for an application, but for the purposes of this example, we will use JIRA Directory in Crowd to house JIRA users. - JIRA also requires particular groups to exist in the directory in order to authenticate users. You need to ensure that these three groups exist in the JIRA Directory in Crowd:
jira-users
jira-developers
jira-administrators
- You also need to ensure that the JIRA Directory in Crowd contains at least one user who is a member of all three groups. You can either:
- If you have an existing JIRA deployment and would like to import existing groups and users into Crowd, use the JIRA Importer tool by navigating to Users > Import Users > Atlassian Importer. Select 'JIRA' as the Atlassian Product and the JIRA Directory in Crowd as the directory into which JIRA users will be imported. For details please see Importing Users from Atlassian JIRA. If you are going to import users into Crowd, you need to do this now before you proceed any further.
OR: - If you don't wish to import your JIRA users, use the Crowd Administration Console to create the three groups, then create at least one user in the JIRA Directory in Crowd and add them to the three JIRA-specific groups (above). The Crowd documentation has more information on creating groups, creating users and assigning users to groups.
- If you have an existing JIRA deployment and would like to import existing groups and users into Crowd, use the JIRA Importer tool by navigating to Users > Import Users > Atlassian Importer. Select 'JIRA' as the Atlassian Product and the JIRA Directory in Crowd as the directory into which JIRA users will be imported. For details please see Importing Users from Atlassian JIRA. If you are going to import users into Crowd, you need to do this now before you proceed any further.
必要なグループが存在しない場合、Jira でエラーが発生します
JIRA expects that the group names mentioned above will exist. If you need to use different group names, you may want to remove the above pre-existing groups from JIRA's Global Permissions. If the above groups do not exist somewhere in Crowd, you will receive an error when you try to remove the groups from JIRA's Global Permissions.
1.2 Define the JIRA Application in Crowd
If multiple versions of JIRA are being connected to Crowd, ensure you define an application in Crowd for each one
Crowd needs to be aware that the JIRA application will be making authentication requests to Crowd. We need to add the JIRA application to Crowd and map it to the JIRA Directory in Crowd.
- Log in to the Crowd Administration Console and navigate to Applications > Add Application.
- Complete the 'Add Application' wizard for the JIRA application. See the instructions. The Name and Password values you specify in the 'Add Application' wizard must match the application.name and application.password that you will set in the
JIRA/atlassian-jira/WEB-INF/classes/crowd.properties
file. (See Step 2 below.)
1.3 Specify which users can log in to JIRA
Once Crowd is aware of the JIRA application, Crowd needs to know which users can authenticate (log in) to JIRA via Crowd. As part of the 'Add Application' wizard, you will set up your directories and group authorisations for the application. If necessary, you can adjust these settings after completing the wizard. Below are some examples.
You can either allow entire directories to authenticate, or just particular groups within the directories. In our example, we will allow the jira-users
, jira-developers
and jira-administrators
groups within the JIRA Directory in Crowd to authenticate:
With this example, only users who are members of the jira-users
, jira-developers
and jira-administrators
groups will be able to authenticate against JIRA.
For details please see Specifying which Groups can access an Application.
1.4 Specify the address from which JIRA can log in to Crowd
As part of the 'Add Application' wizard, you will set up JIRA's IP address. This is the address which JIRA will use to authenticate to Crowd. If necessary you can add a hostname, in addition to the IP address, after completing the wizard. See Specifying an Application's Address or Hostname.
Step 2. Configuring JIRA to talk to Crowd
The instructions for step 2 below apply to JIRA 4.3 or newer. If you use JIRA 4.2 or older, please follow "Step 2" on Integrating Crowd with Atlassian JIRA 4.2 or earlier instead.
2.1 Add a Crowd Directory in JIRA
JIRA can use Crowd for user authentication simply by adding 'Atlassian Crowd' as user directory.
- Login to the administration section of JIRA
- Click on the 'User Directories' label of the left bar under the 'Users, Groups & Roles' tab.
- Click 'Add Directory'. Then select 'Atlassian Crowd' from the dropdown list. Click 'Next'.
- Enter connection parameters and save. If you configure Server URL to use HTTPS, by replacing http:// with https://, communications between JIRA and Crowd will be encrypted.
- ユーザー ディレクトリの一覧に新しい Crowd ディレクトリが表示されます。
For more information on configuring a Crowd directory in JIRA, check out the JIRA documentation on Connecting to Crowd or Another JIRA Server for User Management.
2.2 Configure JIRA to use Crowd's Authenticator to enable SSO (Optional)
At this stage, JIRA is set up for centralised authentication. If you wish, you can now enable single sign-on (SSO) to JIRA. This will ensure that JIRA's authentication and access request calls will be performed using Seraph.
Note: if you are migrating/upgrading a JIRA instance that already uses Crowd, you will need to merge these files (not overwrite them).
- If JIRA is running, shut it down first.
JIRA/atlassian-jira/WEB-INF/classes/seraph-config.xml
ファイルを編集します。authenticator
ノードをコメント アウトします。<!--<authenticator class="com.atlassian.jira.security.login.JiraSeraphAuthenticator"/>-->
新しいオーセンティケータを含む行のコメントを解除します。<authenticator class="com.atlassian.jira.security.login.SSOSeraphAuthenticator"/>
CROWD/client/conf/
からJIRA/atlassian-jira/WEB-INF/classes
にcrowd.properties
ファイルをコピーします。JIRA/atlassian-jira/WEB-INF/classes/crowd.properties
を編集します。次のプロパティを変更します。キー
値
application.name
jira
The application name must match the name that you specified when you defined the application in Crowd (see Step 1 above).application.password
パスワードは Crowd のアプリケーションで定義した名前と一致している必要があります (前述のステップ 1 を参照)。
application.login.url
This should be set to the base URL of your JIRA server. Crowd will redirect users here if they need to authenticate.
crowd.base.url
eg. (http://localhost:8095/crowd/)
If your Crowd server's port is configured differently from the default (i.e. 8095), set it accordingly.crowd.base.url は、ブラウザで Crowd にアクセスするために使用する URL と同じものである必要があります。
session.validationinterval
各リクエストで認証チェックを行いたい場合は 0 に設定します。その他の場合、ユーザーが Crowd SSO サーバーにログインしているかどうかを検証するためのリクエスト間隔を分単位で設定します。この値を 1 以上に設定すると、Crowd 連携のパフォーマンスが改善します。
It is possible to define multiple user directories in JIRA. However, if you enable SSO integration, you will only be able to authenticate as users from the Crowd server defined in the crowd.properties
file.
You can read more about optional settings in the crowd.properties file.
2.3 (Optional) Disable the Auto-Complete Function in JIRA's User Picker
To improve performance on page-loading in JIRA, we recommend that you disable the auto-complete function in JIRA's 'User Picker' popup screens. Follow the instructions in the JIRA documentation.
More information: In our experience, disabling this feature in JIRA helps performance for customers with extremely large user bases. If you leave this feature enabled and have adequate performance results in JIRA, feel free to leave it enabled.
Crowd の動作を確認する
- You should now be able to login using users belonging to the
jira-users
group. Try adding a user to the group using Crowd — you should be able to login to JIRA using this newly created user. That's centralised authentication in action! - If you have enabled SSO, you can try adding the JIRA Directory in Crowd and
jira-administrators
group to the crowd application (see Mapping a Directory to an Application and Specifying which Groups can access an Application). This will allow JIRA administrators to log in to the Crowd Administration Console. Try logging in to Crowd as a JIRA administrator, and then point your browser at JIRA. You should be logged in as the same user in JIRA. That's single sign-on in action!
既知の制限事項
If you are using JIRA 4.2, a problem occurs in JIRA if a user is removed after that user has participated in an issue i.e. if JIRA refers to the user. If the user is internally managed by JIRA, JIRA will prevent the removal of the user but if the user is managed by an external system such as Crowd, JIRA will throw a DataAccessException
. We recommend upgrading JIRA or deactivating the user's account by removing them from the jira-users
group.
If you are using JIRA 4.3 or later, this problem has been resolved, allowing the removal of users that are externally managed, despite existing data associations. When a user managed by an external system such as Crowd is removed, any user associations in JIRA will continue to be associated, with the username acting as a placeholder. This username will not be listed in the User Browser and no profile exists for that user.
関連トピック
- Using the Application Browser
- アプリケーションの追加
- Integrating Crowd with Atlassian Bamboo
- Integrating Crowd with Atlassian Confluence
- Integrating Crowd with Atlassian CrowdID
- Integrating Crowd with Atlassian Crucible
- Integrating Crowd with Atlassian FishEye
- Integrating Crowd with Atlassian JIRA
- Integrating Crowd with Atlassian Stash
- Integrating Crowd with Acegi Security
- Integrating Crowd with Apache
- Disabling Previous Versions of the Crowd Apache Connector
- Installing the Crowd Apache Connector on CentOS Linux
- Installing the Crowd Apache Connector on Red Hat Enterprise Linux
- Installing the Crowd Apache Connector on Ubuntu Linux
- Installing the Crowd Apache Connector on Debian
- Installing the Crowd Apache Connector on Other UNIX-Like Systems
- Installing the Crowd Apache Connector on Windows
- Integrating Crowd with Jive Forums
- Integrating Crowd with Spring Security
- Integrating Crowd with Subversion
- Integrating Crowd with a Custom Application
- Configuring the Google Apps Connector
- Mapping a Directory to an Application
- Specifying an Application's Address or Hostname
- Testing a User's Login to an Application
- Enforcing Lower-Case Usernames and Groups for an Application
- Managing an Application's Session
- Deleting or Deactivating an Application
- Configuring Caching for an Application
- Overview of SSO
- Configuring Options for an Application