This page last changed on Mar 04, 2007 by rosie@atlassian.com.
 | Before you begin: Please make sure you have already setup JIRA before performing the below Crowd integration. Crowd cannot be installed on an unconfigured JIRA instance. |
Atlassian's popular JIRA issue management system takes advantage of the OSUser framework and can quickly be configured to use OSUser to link in single or multiple directory servers through Crowd. Crowd provides integration libraries for the OpenSymphony OSUser module, which has a simple- to-use API for user-management that allows pluggable implementations. More about the OSUser API can be reviewed at http://www.opensymphony.com/osuser/.
JIRA and Crowd Compatibility
JIRA Version |
Integration Points |
< 3.7.3 |
- External user management must be enabled.
|
>3.7.4 |
- External user management must be enabled.
- User preferences are supported.
|
It is recommended that all integrations with Crowd upgrade their JIRA instances to 3.7.4+.
Enabling "External user management" in JIRA means that the following functions can no longer be performed from within the JIRA administration interface:
- adding users.
- adding groups.
- editing users.
- editing groups.
Configuring JIRA to work with Crowd
To configure the OSUser framework:
- Copy the Crowd integration libraries and configuration files as described in the 3.2 - Client Configuration documentation.
- Edit the JIRA file atlassian-jira\WEB-INF\classes\osuser.xml to add the following providers:
 | You will need to comment out the existing providers and now use the Crowd providers. |
<opensymphony-user>
<authenticator class="com.opensymphony.user.authenticator.SmartAuthenticator"/>
<provider class="com.atlassian.crowd.integration.osuser.CrowdCredentialsProvider"/>
<provider class="com.atlassian.crowd.integration.osuser.CrowdAccessProvider"/>
<provider class="com.atlassian.crowd.integration.osuser.CrowdProfileProvider"/>
<!--
<provider class="com.atlassian.core.ofbiz.osuser.CoreOFBizCredentialsProvider">
<property name="exclusive-access">true</property>
</provider>
<provider class="com.opensymphony.user.provider.ofbiz.OFBizProfileProvider">
<property name="exclusive-access">true</property>
</provider>
<provider class="com.opensymphony.user.provider.ofbiz.OFBizAccessProvider">
<property name="exclusive-access">true</property>
</provider>
-->
</opensymphony-user>
- Edit the propertyset.xml to add the following propertyset at the end of the file as the last propertyset:
<propertyset name="crowd" class="com.atlassian.crowd.integration.osuser.CrowdPropertySet"/>
- This step is only necessary if you wish to enable single sign-on:
 | Enabling Single Sign-On Single sign-on (SSO) is optional when integrating JIRA and other Atlassian products. To use centralised authentication, do not configure Seraph-based authentication. | Edit the \atlassian-jira\WEB-INF\classes\seraph-config.xml, changing the authenticator node to read:
<authenticator class="com.atlassian.crowd.integration.seraph.JIRAAuthenticator"/>
JIRA's authentication and access request calls will now be performed using the atlassian-user/osuser/Seraph Crowd plugin.
Now when authentication or access request calls are performed versus the OSUser framework, the JIRA stack will call the Crowd providers and propertyset implementations.
When utilising the OSUser and Crowd framework together with JIRA, it is highly recommended that caching be enabled. Multiple redundant calls to the OSUser framework are made on any given request. These results can be stored locally between calls by enabling caching in the Crowd 'Options' menu. In doing so, JIRA will obtain all necessary information for the period specified by the cache in minutes. If a security change or addition occurs in Crowd, these changes will not be visible in JIRA until the item cache expires.
Additional configuration steps:
- Create the 'jira' application in the Crowd administration console. Make sure that you use the same password as configured in the crowd.properties file. More information on adding an application is available here
- Create three groups, jira-users, jira-developers and jira-administrators, through the Crowd console or manually in your directory server for each associated directory server.
- You will need to assign the jira-users group to the newly configured 'jira' application through the Crowd administration console or authentication attempts will fail.
- When integrating with JIRA, only principals who are members of the jira-users group will be able to authenticate.
- Only principals who are members of the jira-administrators group will be able to administer the JIRA console.
- JIRA's security requires that principals be members of a JIRA group that has the 'Global Permission' JIRA Users.
- In the JIRA General Configuration administration section, turn on External user management and External password management.
|