Is it possible to implement a Single-Sign-On solution using OpenSSO (express build 8) for the most recent versions of Jira (4.0.1) and Confluence (3.1) ? Is full integration of OpenSSO users and groups possible, or only integration on the level of authentication (which means that there is still a user store in both Jira and Confluence) ?
I already tried to find information about this, but this is still not clear to me. I found the Seraph provider extension for OpenSSO at
https://opensso.dev.java.net/public/extensions/index.html
This one only provides authentication and gives pure SSO for Jira and Confluence AFAICT. Then I also found an extension for Jira which gives better integration with OpenSSO at
http://confluence.atlassian.com/display/JIRAEXT/Sun+Access+Manager+%28OpenSSO%29+Integration
Does anyone have experience with those extensions and recent versions of Jira and Confluence?
I tried to install a setup with OpenSSO on a GlassFish server (with the default OpenSSO setup, since this is only a test) and Confluence on Tomcat 6.0.20. I use the Seraph provider, which can be found on the OpenSSO extensions page. I configured Confluence as described in the documentation. I use the following AMConfig.properties file:
com.iplanet.am.naming.url=http://opensso.test.local:8080/opensso/namingservice
com.iplanet.am.cookie.name=iPlanetDirectoryPro
com.sun.identity.agents.app.username=amadmin
com.iplanet.am.service.password=adminadmin
com.iplanet.am.server.protocol=http
com.iplanet.am.server.host=opensso.test.local
com.iplanet.am.server.port=8080
com.iplanet.security.encryptor=com.iplanet.services.util.JCEEncryption
com.iplanet.services.debug.level=MESSAGE
com.iplanet.am.cookie.encode=true
com.iplanet.am.serverMode=false
As you can see, the property com.iplanet.am.cookie.encode is true. This is also activated on the OpenSSO server side.
In the Confluence install, I initially created an admin user "confluenceadmin". I created a user with the same id in the OpenSSO user data store.
When I browse to the Confluence site (http://confluence.test.local:8080/), I am redirected to the OpenSSO login page (which is correct). After authentication on the OpenSSO page, however, the browser goes into a redirect loop between Confluence and OpenSSO. In the Tomcat logs, I found the following error on the Confluence side:
In SiteMonitor.isAvailable()
amNaming:01/06/2010 04:30:04:463 PM CET: Thread[http-8080-1,5,main]
SiteID http://opensso.pmtools.local:8080/opensso/sessionservice is UP.
PLLClient:01/06/2010 04:30:04:463 PM CET: Thread[http-8080-1,5,main]
sending cookies: iPlanetDirectoryPro=AQIC5wM2LY4SfczS5FTStE+TifKvZv90WatUK11Rea1JT28=@AAJTSQACMDE=#;amlbcookie=null
amSession:01/06/2010 04:30:04:467 PM CET: Thread[http-8080-1,5,main]
ERROR: XMLUtils.fatalError
org.xml.sax.SAXParseException: Content is not allowed in prolog.
at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source)
at org.apache.xerces.util.ErrorHandlerWrapper.fatalError(Unknown Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
at org.apache.xerces.impl.XMLScanner.reportFatalError(Unknown Source)
at org.apache.xerces.impl.XMLDocumentScannerImpl$PrologDispatcher.dispatch(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
at javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:124)
at com.sun.identity.shared.xml.XMLUtils.toDOMDocument(XMLUtils.java:181)
at com.sun.identity.shared.xml.XMLUtils.toDOMDocument(XMLUtils.java:130)
at com.iplanet.dpro.session.share.SessionResponseParser.<init>(SessionResponseParser.java:70)
at com.iplanet.dpro.session.share.SessionResponse.parseXML(SessionResponse.java:152)
at com.iplanet.dpro.session.Session.sendPLLRequest(Session.java:1122)
at com.iplanet.dpro.session.Session.getSessionResponseWithoutRetry(Session.java:1538)
at com.iplanet.dpro.session.Session.getSessionResponse(Session.java:1646)
at com.iplanet.dpro.session.Session.doRefresh(Session.java:1413)
at com.iplanet.dpro.session.Session.access$300(Session.java:108)
at com.iplanet.dpro.session.Session$3.run(Session.java:1385)
....
Any hints on how to proceed?
BTW, I know Atlassian provides Crowd for central user management and Single-Sign-On. However, we'd like to standardize on OpenSSO.
You can optimize your Jira and Confluence with your A.D. , I recently integrated them. You can find integrator in Jira Admin Panel . But with my recommendation, you should prefer Crowd for SSO, It is easier to install and manage. I hope it will be helpful for you.