Setting up Bamboo with Crowd using SSO

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Purpose

This Knowledge Base Article provides you with a quick tutorial on what is necessary to set up Single Sign-On (SSO) authentication between Bamboo and Crowd.

Notes

This tutorial will follow Example 1 in Overview of SSO - https://confluence.atlassian.com/x/HR6yCg

Example 1: If you wish to have single sign-on (SSO) support for *.mydomain.com, you will need to configure the SSO domain in Crowd as .mydomain.com — including the full stop ('.') at the beginning. All your Crowd-connected applications must be in the same domain. For example:

crowd.mydomain.com
bamboo.mydomain.com

Summary

Setting up Apache

Please, find below a sample configuration in Apache setting up a VirtualHost for each of the application:

Crowd

Bamboo

<VirtualHost *:80>
    ServerName crowd.mydomain.com
     
    ErrorLog /etc/apache2/logs/crowd-error.log
    CustomLog /etc/apache2/logs/crowd-access.log combined
 
    ProxyRequests Off
    ProxyPreserveHost On
    <Proxy *>
       Order deny,allow
       Allow from all
    </Proxy>
 
    ProxyPass / http://localhost:8095/
    ProxyPassReverse / http://localhost:8095/
</VirtualHost>

<VirtualHost *:80>
    ServerName bamboo.mydomain.com
     
    ErrorLog /etc/apache2/logs/bamboo-error.log
    CustomLog /etc/apache2/logs/bamboo-access.log combined
 
    ProxyRequests Off
    ProxyPreserveHost On
    <Proxy *>
       Order deny,allow
       Allow from all
    </Proxy>
 
    ProxyPass / http://localhost:8085/
    ProxyPassReverse / http://localhost:8085/
</VirtualHost>


Setting up Crowd

Lets remove context path from Crowd by following Removing the 'crowd' Context from the Application URL - https://confluence.atlassian.com/x/uAVODQ

To remove the /crowd part from the URL:

  1. In <crowd-install>/build.properties set the crowd.url variable to the following:

    # Crowd context root
crowd.url=http://localhost:8095/

    Since you already know the DNS Crowd will be using, you can simply replace crowd.url with http://crowd.mydomain.com

  2. Run <crowd-install>/build.sh (UNIX) or <crowd-install>\build.bat (Windows).

  3. Change your <crowd-install>/apache-tomcat/conf/server.xml file to have the following Host section configuration

    <Engine defaultHost="localhost" name="Catalina">
     <Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true">
           <Context path="" docBase="../../crowd-webapp" debug="0">
                 <Manager pathname="" />
           </Context>
     </Host>
</Engine>

  4. Perform a backup of the crowd.xml file in <crowd-install>/apache-tomcat/conf/Catalina/localhost to another directory.

  5. From <crowd-install>/apache-tomcat/conf/Catalina/localhost, remove the crowd.xml file to prevent Tomcat from loading the /crowd context.

  6. Append proxyName and proxyPort to <crowd-install>/apache-tomcat/conf/server.xml as per following:

    <Connector URIEncoding="UTF-8"
    acceptCount="100"
    compressableMimeType="text/html,text/xml,application/xml,text/plain,text/css,application/json,application/javascript,application/x-javascript"
    compression="on"
    connectionTimeout="20000"
    disableUploadTimeout="true"
    enableLookups="false"
    maxHttpHeaderSize="8192"
    maxThreads="150"
    minSpareThreads="25"
    port="8095"
    redirectPort="8443"
    sendReasonPhrase="true"
    useBodyEncodingForURI="true"
    proxyName="crowd.mydomain.com"
    proxyPort="80"
    />

Changes in Crowd's UI

 
After the restart, in the Server Settings screen, change the base URL to http://crowd.mydomain.com and add .mydomain.com in SSO domain.

Take note of SSO cookie name as this will be used later in Bamboo's configuration, appending attribute to crowd.properties


Create a group in Crowd called bamboo-admin

 
Create a user in Crowd that will have access to Bamboo


Grant membership this users by assigning it to bamboo-admin

Creating an Application in Crowd to be consumed by Bamboo

In case the information below does not cover the necessary steps to create an application, please refer to our official documentation on Adding an Application - https://confluence.atlassian.com/x/h4AbAQ


For simplicity, create a Bamboo application with:

  • Application name as bamboo
  • Application password as bamboo

 
Provide Bamboo's URL (http://bamboo.mydomain.com) and resolve its IP address


Select the the directories you are going to let this application use for authentication and authorisation.

 
Allow all user to authenticate and finish up by Add application in following screen.

Setting up Bamboo

Setting up proxy

Append proxyName and proxyPort to <bamboo-install>/conf/server.xml as per following:

<Connector
    protocol="HTTP/1.1"
    port="8085"
 
    maxThreads="150" minSpareThreads="25"
    connectionTimeout="20000"
    disableUploadTimeout="true"
    acceptCount="100"
 
    enableLookups="false"
    maxHttpHeaderSize="8192"
 
    useBodyEncodingForURI="true"
    URIEncoding="UTF-8"
 
    redirectPort="8443"
     
    proxyName="bamboo.mydomain.com"
    proxyPort="80"
    />

Changes in Bamboo's UI

Lets set up Bamboo to authenticate against Crowd

  1. go to Bamboo administration >> Overview >> Security >> User repositories

  2. select Users and groups from JIRA or Crowd

    Server URL

    http://crowd.mydomain.com

    Application name

    bamboo

    Application password

    bamboo

crowd.properties in Bamboo

application.name                        bamboo
# application.password                    bamboo
application.login.url                   http://localhost:8095/crowd/console/
 
crowd.server.url                        http://localhost:8095/crowd/services/
 
session.isauthenticated                 session.isauthenticated
session.tokenkey                        session.tokenkey
session.validationinterval              2
session.lastvalidation                  session.lastvalidation
 
bamboo.crowd.cache.minutes              60

Above is the representation of crowd.properties located under <bamboo-home>/xml-data/configuration in a vanilla Bamboo instance

#Wed Mar 14 14:24:19 BRT 2018
session.lastvalidation=session.lastvalidation
session.tokenkey=session.tokenkey
crowd.server.url=http\://localhost\:8095/crowd/services/
application.name=bamboo
crowd.base.url=http\://crowd.mydomain.com
session.isauthenticated=session.isauthenticated
application.login.url=http\://localhost\:8095/crowd/console/
session.validationinterval=2
bamboo.crowd.cache.minutes=1
application.password=bamboo

And this is the representation of the same file when setting up Crowd as authentication method through Bamboo administration >> Overview >> Security >> User repositories

Both configuration settings (tab or equals sign separator) are valid and can be read by Bamboo.


Enabling SSO in Bamboo

Lets enable SSO in Bamboo by following Integrating Bamboo with Crowd - https://confluence.atlassian.com/x/IQU_EQ

To enable single sign-on (SSO), you will configure Bamboo's authentication and access request calls to use Seraph. To configure Seraph-based authentication:

  1. Shut down Bamboo.
  2. Edit the <bamboo-install>/atlassian-bamboo/WEB-INF/classes/seraph-config.xml

  3. Comment out the authenticator node

    <!--<authenticator class="com.atlassian.bamboo.user.authentication.BambooAuthenticator"/>-->

  4. Uncomment the following tag

    <authenticator class="com.atlassian.crowd.integration.seraph.v25.BambooAuthenticator"/>

  5. Append the following property to <bamboo-home>/xml-data/configuration/crowd.properties as this is the value provided in Crowd under Single Sing-On cookie settings >> SSO cookie name.

    cookie.tokenkey=crowd.token_key


    Please, follow the pattern used by the current crowd.properties configuration file. If the same is described by having equals sign as separator, the above mentioned should be appended. Otherwise, replace equals sign with tab instead.

  6. Start Bamboo. Bamboo's authentication and access request calls will now be performed using Seraph.

Troubleshooting

While following this Knowledge Base Article you may come across the following known issue(s):

Last modified on Jul 9, 2019

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.