Simple Alternative Guide to Implementing Single Sign On for Atlassian Confluence and JIRA with NTLM and Active Directory

Introduction

Most organizations use Active Directory as a tool for user and identity management. The idea of SSO solution for Confluence and JIRA is based on the fact that users already authenticated in Active Directory are already using SSO for accessing resources on the network. The corporate web-server can make use of NTLM or LDAP authentication, and Confluence and JIRA being a backend can use information provided by trusted authenticating frontend to allow access.

Implementation

Linux OS like Centos 5 or Gentoo, for web server or application server.
httpd Apache server
Samba installed on the same server as httpd, configured as Active Directory member with winbind services enabled.
mod_auth_ntlm_winbind for your httpd, configured using your Samba (do not forget to enable http keep-alives in redhat linux flavours!) (do not forget give permissions to apache user for the winbind socket)
Apache Module mod_authnz_ldap, configuring using your AD LDAP services
mod_jk Apache AJP connector module
Tomcat server for Confluence and JIRA
Confluence and JIRA configured to use AD LDAP for user authentication.
AJP connector in Tomcat configured to disable tomcat authentication, like this: <Connector ..... protocol="AJP/1.3" tomcatAuthentication="false" />
Custom Confluence and JIRA SSO authentication classes

Currently it runs perfectly in our company. We use JIRA 3.13 (osuser), Confluence 2.10 (atlassian-user), Apache 2.2, Tomcat 5.5, Samba 3, Centos 5. One year of production use without problems.

Notes

NTLM is a bit of challenge. I had to patch the source so it accepts long usernames, looks as it was a bug. It might be already fixed. NTLM is supported by IE and Mozilla (in Firefox you have to go to about:configure page and search for ntlm settings adding domain of your choice for automatic sign on). The mod_auth_ntlm_winbind is much better then old mod_ntlm, supporting NTLM2. Also note that NTLM is working if the server hostname is in the 'security zone' in Internet Explorer, which allows "automatic login using currently logged user username and password", and also it requires HTTP/1.1 and enabled HTTP keep-alives. Additionaly AD has some group policy that if improperly configured will switch NTLM off.

It's up to you if to use LDAP or NTLM authentication, you only need one of them. Not sure however how well NTLM works over SSL, seems it requires special attributes in the server certificate. Also NTLM is not supported to work through proxies, by design.

If you have users in Confluence that are not registered in Active Directory, then you can not use this solution. (Hint: you may disable http authentication for non-intranet users using 'satisfy any', 'allow from').

You can not 'log off' from Confluence or JIRA, since it is Apache httpd who knows that you are you. So if you want to login as someone else use LDAP authentication or bypass apache going directly to Tomcat http connector. You may use JIRA SU Plugin to allow administrators to change identity to another user.

Such solution brings another security problem of Tomcat trusting frontend, so you have to secure your backend to allow only trusted frontends to access JIRA and Confluence. Use firewall.

Oles Hnatkevych, 2009-03-27