Documentation for Crowd 1.2. Documentation for other versions of Crowd is available too.

Atlassian's popular Confluence wiki can quickly be configured to use the atlassian-user libraries to link in single or multiple directory servers through Crowd.

Currently Crowd supports centralised authentication and single sign-on (SSO) for Confluence versions 2.6.2 and later with Crowd 1.2 and later.

If you are using NTLM for Windows authentication, you may want to read about configuring Crowd's Confluence NTLM plugin for single sign on.

Prerequisites

  1. Download and install Crowd. Refer to the Crowd installation guide for detailed information on how to do this. We will refer to the Crowd root folder as CROWD.
  2. Download and install Confluence (version 2.6.2 or later). Refer to the Confluence installation guide for detailed information on how to do this. We will refer to the Confluence root folder as CONFLUENCE. For the purposes of this document, we will assume that the Standalone (ie. the easier) installation method of Confluence has been used. If you need to install Confluence as an EAR/WAR, simply explode the EAR/WAR and make the necessary changes as described below, and repackage the EAR/WAR.
  3. After Confluence is set up, make sure Confluence is not running when you begin the integration process described below.

Step 1. Configuring Crowd to talk to Confluence

1.1 Prepare Crowd's Directories/Groups/Users for Confluence

The Confluence application will need to authenticate users against a directory configured in Crowd. You will need to set up a directory in Crowd for Confluence. For more information on how to do this, see 2.2 Adding a Directory. We will assume that the directory is called Confluence Directory for the rest of this document. It is possible to assign more than one directory for an application, but for the purposes of this example, we will use Confluence Directory to house Confluence users.

Confluence also requires particular groups to exist in the directory in order to authenticate users. You will need to create two groups in the Confluence Directory:

  1. confluence-users
  2. confluence-administrators

See the documentation on Creating Groups for more information on how to define these groups.

You also need to ensure that the Confluence Directory contains at least one user who is a member of both groups. You can either:

  • If you have an existing Confluence deployment and would like to import existing users (principals) and groups into Crowd, use the Confluence Importer tool by navigating to Principals > Import Users > Confluence. Select the Confluence Directory as the directory into which Confluence users will be imported. For details please see 2.4.1 Importing Users from Atlassian Confluence. (info) If you are going to import users into Crowd, you need to do this now before you proceed any further.
    OR:
  • If you don't wish to import your Confluence users, make sure you use Crowd to create at least one principal in the Confluence Directory and assign them to both the confluence-users and confluence-administrators group. The Crowd documentation has more information on creating groupscreating principals and assigning principals to groups.

1.2 Define the Confluence Application in Crowd

Crowd needs to be aware that the Confluence application will be making authentication requests to Crowd. We need to add the Confluence application to Crowd and map it to the Confluence Directory:

  1. Log in to the Crowd Administration Console and navigate to Applications > Add Application.
  2. Fill out the form to add the Confluence application:


    属性

    説明

    名前

    The username which the application will use when it authenticates against the Crowd framework as a client. This value must be unique, i.e. it cannot be used by more than one application client.

    説明

    A short description of the application. Note: A web URL is often helpful.

    アクティブ

    Only deselect this if you wish to prevent all users (from all directories) from accessing this application.

    パスワード

    The password which the application will use when it authenticates against the Crowd framework as a client.

    Default Directory

    A directory that contains relevant users. Note: Additional directories can be added later.

    (info) The Name and Password values must match the application.name and application.password that you set in the CONFLUENCE/confluence/WEB-INF/classes/crowd.properties (see Step 2 below)

1.3 Specify which users can log in to Confluence

Now that Crowd is aware of the Confluence application, Crowd needs to know which users can authenticate (log in) to Confluence via Crowd. You can either allow entire directories to authenticate, or just particular groups within the directories. In our example, we will allow the confluence-users and confluence-administrators groups within the Confluence Directory to authenticate:

For details please see 3.4 Specifying which Groups can access an Application.

1.4 Specify the address from which Confluence can log in to Crowd

Please see 3.5 Specifying an Application's Address or Hostname. Please note:

  • If Confluence is on a different host to Crowd
    If you are running Confluence on a different host to Crowd, you will need to modify the permissible hosts via the Remote Addresses tab. This lists the hosts/IP addresses that are allowed to authenticate to Crowd. If Confluence is remote to Crowd, add the IP address of your Confluence server and ensure the "Status" field is set to "true". Remove the entry for localhost.
  • If Confluence is on the same host as Crowd
    By default, when you add an application, localhost is a permissible foreign host. However, you will also need to manually add the IP address 127.0.0.1, as incoming requests to Crowd from Confluence (both on the same, local, host) may be from the host 127.0.0.1 and not localhost. Crowd does not do a DNS lookup of the hostname; rather, it compares the values as is. Ensure the "Status" field is set to "true".

Step 2. Configuring Confluence to talk to Crowd

2.1 Install the Crowd Client Libraries into Confluence

Confluence needs Crowd's client libraries in order to be able to delegate user authentication to the Crowd application. As stated earlier, we are going to be modifying the Confluence application by editing the standalone application, which is an exploded WAR stored in CONFLUENCE/confluence.

  1. Copy the Crowd client libraries and configuration files to Confluence (this is described in the Client Configuration documentation). This is summarised below:

    Copy From

    Copy To

    CROWD/client/crowd-core-x.x.x.jar

    CONFLUENCE/confluence/WEB-INF/lib

    CROWD/client/crowd-atlassian-user-x.x.x.jar

    CONFLUENCE/confluence/WEB-INF/lib

    CROWD/client/conf/crowd.properties

    CONFLUENCE/confluence/WEB-INF/classes

    There is no need to copy across anything from CROWD/client/lib. All the required libraries from there already exist in Confluence versions 2.3 and later.

    Confluence 2.5.6 to 2.6.1 is now incompatible with Crowd 1.2. *It is recommended that you upgrade to 2.6.2 or later.

    If you can not upgrade your Confluence instance, you will need to remove the following file from Confluence's CONFLUENCE-HOME/WEB-INF/lib/seraph-0.X.X.jar and replace it with the following:
    http://repository.atlassian.com/maven2/com/atlassian/seraph/atlassian-seraph/0.9/atlassian-seraph-0.9.jar


  1. CONFLUENCE/confluence/WEB-INF/classes/crowd.properties を編集します。次のプロパティを変更します。

    キー

    application.name

    confluence

    application.password

    set a password

    crowd.server.url

    http://localhost:8095/crowd/services/

    session.validationinterval

    各リクエストで認証チェックを行いたい場合は 0 に設定します。その他の場合、ユーザーが Crowd SSO サーバーにログインしているかどうかを検証するためのリクエスト間隔を分単位で設定します。この値を 1 以上に設定すると、Crowd 連携のパフォーマンスが改善します。

    If your Crowd server's port is configured differently from the default (i.e. 8095), set it accordingly.(info) The application.name and application.password must match the Name and Password that you specified when defining the application in Crowd (see Step 1 above). Confluence does not use any of the other attributes of the crowd.properties file.

2.2 Configure Confluence to use Crowd's Authenticator

Now that the Crowd client libraries exist, we need to configure Confluence to use them.

  1. Complete one of the following sub-steps, depending on your version of Confluence:
    • For Confluence versions earlier than 2.6.2, please upgrade to the latest stable version of Confluence.
  2. Edit the CONFLUENCE/confluence/WEB-INF/classes/atlassian-user.xml file so that the contents of the file is: 
    <atlassian-user>
    <repositories>

        <crowd key="crowd" name="Crowd Repository"/>
        
    </repositories>
</atlassian-user>
  3. At this stage, Confluence is set up for centralised authentication. If you wish, you can now enable single sign-on (SSO) to Confluence.
    (info) Skip this step if you are using the Confluence NTLM plugin to enable SSO. Instead, follow the instructions on configuring Confluence for NTLM SSO.

    Edit CONFLUENCE/confluence/WEB-INF/classes/seraph-config.xml. Comment out the authenticator node : 
    <!--<authenticator class="com.atlassian.confluence.user.ConfluenceAuthenticator"/>-->

    and add a new one: 
    <authenticator class="com.atlassian.crowd.integration.seraph.ConfluenceAuthenticator"/>

    Confluence's authentication and access request calls will now be performed using Seraph.

2.3 Enable Confluence's 'External User Management'

Once the setup is complete, you may optionally wish to enable a Confluence feature known as 'External User Management', to prevent Confluence administrators from creating/modifying principals. For more information please see the Confluence documentation regarding External User Management.

  • If you are using Confluence 2.6.2 or earlier, this step is required i.e. you must turn on external user management in Confluence.
  • If you have imported Confluence users into Crowd, you may want to delay turning on 'External User Management' for a week or two, to give users time to reset their passwords. (Because users' passwords are encrypted in Confluence's database, they will not be copied across to Crowd.)

 

2.4 (Optional) Tune the Cache

When utilising the atlassian-user and Crowd framework together with Confluence, it is highly recommended that caching be enabled. Multiple redundant calls to the atlassian-user framework are made on any given request. These results can be stored locally between calls by enabling caching via the Crowd Options menu. (Note that this caching in the Crowd application is enabled by default.)

Confluence will obtain all necessary information for the period specified by the cache configuration - see Configuring Caching for an Application. If a change or addition occurs in Crowd to users, groups and roles, these changes will not be visible in Confluence until the cache expires for that specific item (i.e. for the particular user, group or role).

(info) The default value for the application cache is 5 minutes (300 seconds). To increase the performance of your application, consider changing the cache value to one or two hours (3600 or 7200 seconds).

Crowd の動作を確認する

  • You should now be able to log in using principals belonging to the confluence-users group. Try adding a principal to the group using Crowd — you should be able to log in to Confluence using this newly created principal. That's centralised authentication in action!
  • If you have enabled SSO, you can try adding the Confluence Directory and confluence-administrators group to the crowd application (see 3.3 Mapping a Directory to an Application and 3.4 Specifying which Groups can access an Application). This will allow Confluence administrators to log in to the Crowd Administration Console. Try logging in to Crowd as a Confluence administrator, and then point your browser at Confluence. You should be logged in as the same principal in Confluence. That's single sign-on in action!

関連トピック  

Crowd 1.2 Documentation  





Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 2.5 Australia License.