If your organization is running a Windows domain, you can configure JIRA so that the users are automatically logged in when they log in to the domain with their workstations.
For this recipe, we will need the Kerberos SSO Authenticator for JIRA. You can get it at http://www.appfusions.com/display/KBRSCJ/Home.
You will also need to have the following set up:
Setting up the Windows domain SSO is not a simple task, as it involves many aspects of your network configuration. It is highly recommended that you engage the product vendor to ensure a smooth implementation.
Proceed with the following steps to set up the Windows domain SSO:
login.conf
, krb5.conf
and spnego-exclusion.properties
to the JIRA_INSTALL/atlassian-jira/WEB-INF/classes
directory.JIRA_INSTALL/atlassian-jira/WEB-INF/lib
directory.web.xml
file located in the JIRA_INSTALL/atlassian-jira/WEB-INF
directory in a text editor.THIS MUST BE THE LAST FILTER IN THE DEFINED CHAIN
entry. Make sure you update the values for the following parameters:spnego.krb5.conf
, use the full path to the spnego.krb5.conf
filespnego.login.conf
, use the full path to the spnego.login.conf
filespnego.preauth.username
, use the username of the service accountspnego.preauth.password
, use the password of the service account<filter> <filter-name>SpnegoHttpFilter</filter-name> <filter-class>net.sourceforge.spnego .SpnegoHttpFilter</filter-class> <init-param> <param-name>spnego.allow.basic</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.allow.localhost </param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.allow.unsecure.basic </param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.login.client.module </param-name> <param-value>spnego-client</param-value> </init-param> <init-param> <param-name>spnego.krb5.conf</param-name> <param-value>FULL_PATH/krb5.conf </param-value> </init-param> <init-param> <param-name>spnego.login.conf</param-name> <param-value>FULL_PATH/login.conf </param-value> </init-param> <init-param> <param-name>spnego.preauth.username </param-name> <param-value>SPN_USERNAME</param-value> </init-param> <init-param> <param-name>spnego.preauth.password </param-name> <param-value>SPN_PASSWORD</param-value> </init-param> <init-param> <param-name>spnego.login.server.module </param-name> <param-value>spnego-server</param-value> </init-param> <init-param> <param-name>spnego.prompt.ntlm</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.logger.level</param-name> <param-value>1</param-value> </init-param> <init-param> <param-name>spnego.skip.client.internet </param-name> <param-value>false</param-value> </init-param> </filter>
<filter-mapping> <filter-name>SpnegoHttpFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
seraph-config.xml
file located in the JIRA_INSTALL/atlassian-jira/WEB-INF/classes
directory in a text editor.com.atlassian.jira.security.login.JiraSeraphAuthenticator
. Comment it out so it looks like the following:<!-- <authenticator class= "com.atlassian.jira.security .login.JiraSeraphAuthenticator"/> -->
<authenticator class="com.appfusions.jira.SeraphAuthenticator" />