If your organization is running a Windows domain, you can configure JIRA so that the users are automatically logged in when they log in to the domain with their workstations.
For this recipe, we will need the Kerberos SSO Authenticator for JIRA. You can get it at http://www.appfusions.com/display/KBRSCJ/Home.
You will also need to have the following set up:
Setting up the Windows domain SSO is not a simple task as it involves many aspects of your network configuration. It is highly recommended that you engage the product vendor to ensure smooth implementation.
Proceed with the following steps to set up the Windows domain SSO:
login.conf
, krb5.conf
, and spnego-exclusion.properties
to the <JIRA_INSTALL>/atlassian-jira/WEB-INF/classes
directory.appfusions-jira-seraph-4.0.0.jar
and appfusions-spnego-r7_3.jar
to the <JIRA_INSTALL>/atlassian-jira/WEB-INF/lib
directory.web.xml
file located in the <JIRA_INSTALL>/atlassian-jira/WEB-INF
directory in a text editor.THIS MUST BE THE LAST FILTER IN THE DEFINED CHAIN
entry. Make sure you update the values for the following parameters:spnego.krb5.conf
, use the full path to the spnego.krb5.conf
filespnego.login.conf
, use
the full path to the spnego.login.conf
filespnego.preauth.username
, use the username of the service accountspnego.preauth.password
, use the password of the service account<filter> <filter-name>SpnegoHttpFilter</filter-name> <filter-class>net.sourceforge.spnego.SpnegoHttpFilter</filter-class> <init-param> <param-name>spnego.allow.basic</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.allow.localhost</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.allow.unsecure.basic</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.login.client.module</param-name> <param-value>spnego-client</param-value> </init-param> <init-param> <param-name>spnego.krb5.conf</param-name> <param-value>FULL_PATH/krb5.conf</param-value> </init-param> <init-param> <param-name>spnego.login.conf</param-name> <param-value>FULL_PATH/login.conf</param-value> </init-param> <init-param> <param-name>spnego.preauth.username</param-name> <param-value>SPN_USERNAME</param-value> </init-param> <init-param> <param-name>spnego.preauth.password</param-name> <param-value>SPN_PASSWORD</param-value> </init-param> <init-param> <param-name>spnego.login.server.module</param-name> <param-value>spnego-server</param-value> </init-param> <init-param> <param-name>spnego.prompt.ntlm</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.logger.level</param-name> <param-value>1</param-value> </init-param> <init-param> <param-name>spnego.skip.client.internet</param-name> <param-value>false</param-value> </init-param> </filter>
login
entry:<filter-mapping> <filter-name>SpnegoHttpFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
seraph-config.xml
file located in the <JIRA_INSTALL>/atlassian-jira/WEB-INF/classes
directory in a text editor.com.atlassian.jira.security.login.JiraSeraphAuthenticator
and comment it out so it looks like the following:<!-- <authenticator class="com.atlassian.jira.security.login.JiraSeraphAuthenticator"/> -->
<authenticator class="com.appfusions.jira.SeraphAuthenticator" />