JIRA single sign-on with OpenSSO, free, now
By Frederic Pariente-Oracle on Mar 31, 2009
The proliferation of passwords in today’s corporate environment poses a significant threat to enterprise security, user productivity, and operational efficiency --a password-related issue is commonly said to the #1 reason for IT support calls, thus cost. As a result, companies seek to implement Single Sign-On (SSO) and identity management solutions, typically starting with vanilla company-wide applications like HR or collaboration tools.
Atlassian is a software company specializing in issue tracking and collaboration software. Their most popular products are JIRA, an issue tracking and project management system, and Confluence, an enterprise wiki. They also produce Crowd, an SSO application with out-of-the-box support for a limited set of applications --inc. Atlassian apps, Google Apps, Apache. Beyond that list, Atlassian users can build custom application connectors, using a proprietary built-in integration API though, not (yet) an open protocol like SAML. SAML is an XML-based open standard for exchanging authentication and authorization information between an identity provider and an application; the primary use case for SAML is to do SSO for web apps. SAML is produced by the OASIS Security Services Technical Committee. SAML is today supported in the open-source OpenSSO and commercial OpenSSO Enterprise identity management software from Sun.
Last summer, Alexey Abashev here at Sun's ISV Engineering developped a JIRA extension to integrate with OpenSSO so JIRA could speak SAML (through OpenSSO). This extension can be configured to :
- store user credentials in OpenSSO while still performing authentication via the JIRA dialog,
- authenticate users in OpenSSO while still storing all credentials inside the JIRA database,
- both authenticate users and store credentials in OpenSSO.
This extension subsequently gives the ability to build authentication chains such as :
- authenticate with
Microsoft NTLM to use an internal JIRA instance with a Windows Domain username,
- authenticate with OpenID to use a JIRA instance on the Internet Cloud.
The documentation for this OpenSSO integration is hosted on Atlassian's JIRA Extensions wiki and the code distributed as part of the JIRA Suite Utilities package on Google Code. Under a free-software BSD License :)
We are happy to report that, after 6 months and a couple of revision --1.1 is the stable release to use--, the JIRA OpenSSO extension has had 400+ downloads and 10+ (reported) deployments. One of them with 10K users! That company just saved itself a lot of time and money, by not replicating the user accounts from the company's internal directory to JIRA. And again, identity duplication = need for identity synchronization = security threat if not managed properly.
If you are a JIRA (admin) user, we encourage you to download the OpenSSO integration, participate to the community and share back :) If you have a similar need for single-sign on with your own application, feel free to check out our code for inspiration. Don't be afraid, there is not so much code --only 15KB-- and most of it is interface implementation. Start with the AuthUtils class, it contains all utility methods useful to developers --login and logout, searching names by pattern, filtering groups and user
entities. For help with OpenSSO adoption, contact our Partner Developer Support if you are a registered Sun Partner Advantage or Sun Startup Essentials member, post questions on the forums.sun.com, and ping Alexey on the JIRA Suite Utilities mailing list above.