eduix / crowd-shibboleth-module Goto Github PK

I've been working with the shibboleth-filter and shibboleth-filter-config modules this week and have written some documentation for newbies (like me) who need to know how to build it. Can I contribute the documentation to the project?

Also, I have some questions:

• Is the nordunet-sso module required in addition to the shibboleth-filter?
• I have crowd SAMLized with the shibboleth-filter but JIRA doesn't seem to want to engage in SSO with Crowd. Is that because I don't have the nordunet-sso plugin installed? How do I install it, the documentation says to place it in a location that does not exist in the latest version of Crowd.

This issue could be entirely because I'm trying to make this plugin work with Atlassian Crowd 2.12.0 (Build: #751):

I seem to have this most of the way working. I setup a "Login with Shibboleth" link in my instance of Confluence, and I can trace it going through the auth steps with our campus IdP, but then it just redirects to the login page.

In atlassian-crowd.log it states:

2017-07-12 14:43:22,922 http-bio-8095-exec-22 ERROR [nordu.crowd.shibboleth.ShibbolethSSOFilter] Error creating new user com.atlassian.crowd.exception.UserAlreadyExistsException: User already exists in directory [851969] with name

Couple other notes - I do see the user generated in Crowd, so it's at least getting that far. I also verified that the users are added to a group that setup for Confluence login.

Just thought I'd toss this out there in case anybody else was using this plugin with the current versions of the atlassian suite, and possibly ran into this issue.

Many thanks to anyone that can help.

Hello,

I'm in the process of migrating from Crowd 2.7.2. I want to upgrade to 3.3.0, but the shibboleth-filter-config seems to say 3.0.0+. Both of these versions are giving me issues with the applicationContext-CrowdSecurity.xml:

This is the error I get when following the shibboleth-filter/README.md when trying Crowd 3.0.0:

2018-10-18 16:56:51,229 localhost-startStop-1 ERROR [ContainerBase.[Catalina].[localhost].[/crowd]] Exception sending context initialized event to listener instance of class com.atlassian.config.bootstrap.BootstrappedContextLoaderListener
org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 117 in XML document from class path resource [applicationContext-CrowdSecurity.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 117; columnNumber: 136; The pre
fix "util" for element "util:constant" is not bound.

When I tried with 3.3.0, I was getting this error:

Caused by: org.xml.sax.SAXParseException; lineNumber: 82; columnNumber: 62; cvc-complex-type.3.2.2: Attribute 'access-denied-page' is not allowed to appear in element 'security:http'.
org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 82 in XML document from class path resource [applicationContext-CrowdSecurity.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 82; columnNumber: 62; cvc-complex-type.3.2.2: Attribute 'access-denied-page' is not allowed to appear in element 'security:http'.

I'm wondering if there's something I'm missing? I'm confident that I'm following the install instructions verbatim, but maybe I'm missing something?

Thanks!

--- Update ---

Once I add the following to the top of the file:

xmlns:util="http://www.springframework.org/schema/util"

and

http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd

to the top of the file, I get past this error. However, I then get:

Error creating bean with name 'util:constant#1e3e794b': Invocation of init method failed; nested exception is java.lang.ClassNotFoundException: com.atlassian.crowd.integration.springsecurity.SecurityConstants

Which, looking into it, Crowd 3.0.0 doesn't have that bean, but 3.1 does:
https://docs.atlassian.com/atlassian-crowd/3.1.5/com/atlassian/crowd/integration/springsecurity/SecurityConstants.html

However, if I try using 3.1.5, I'm getting the same "access-denied-page" attribute error as I did with 3.3.0.

Hello all. I am facing a weird issue in an environment that uses CAFe+Shibboleth+Crowd. This environment works like a charm for almost all users, but that ones that have special characters in their names as, for example, "José", "Ítalo", etc.

I did talk to Atlassian, and they said it happens due to this class - https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/firewall/StrictHttpFirewall.html .

The fact is that this is not clear to me. Should I change anything on Shibboleth implementation?

If you can help, I will be grateful.

Best regards,

Wagner Ferreira
[email protected]

How to configured Atlassian apps (e.g. JIRA, Confluence) to use shibboleth style redirect login urls.

STEP #1
Update the app's "seraph-config.xml" file to have
login.url
http://YourServerName:8095/crowd/plugins/servlet/ssocookie?redirectTo=${originalurl}

STEP #2
Make sure that the "plugins" folder is protected by Shibboleth as you may have not protected the entire directory to allow access to the REST webservices, etc.

We have a working test system with 2.7.2 and we are now trying to build dedicated crowd test and production servers with 2.8.0. We have copied the settings from the previous test system, and crowd authentication with local accounts works OK. Shibboleth logins are, however, not working. The accounts are created, but somehow the authenticator is not aware of them abd tries to recreate them:

2015-01-23 08:36:46,338 ajp-bio-8009-exec-7 DEBUG [nordu.crowd.shibboleth.ShibbolethSSOFilter] No user [email protected] found. Creating
2015-01-23 08:36:46,562 ajp-bio-8009-exec-7 ERROR [nordu.crowd.shibboleth.ShibbolethSSOFilter] Error creating new user
com.atlassian.crowd.exception.UserAlreadyExistsException: User already exists in directory [491521] with name [[email protected]]
at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.addUser(DirectoryManagerGeneric.java:309)

Hi
i'm trying the use crowd-shibboleth-module and i'm having
the error:

Cannot resolve reference to bean 'authenticationProcessingShibbolethFilter' while setting constructor argument with key [4]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationProcessingShibbolethFilter': Lookup method resolution failed; nested exception is java.lang.IllegalStateException: Failed to introspect Class [net.nordu.crowd.shibboleth.ShibbolethSSOFilter]

an someone help me ?
thanks

Hi-

Attempting to make Crowd v2.12.0 (Build:#751) and this plugin work with the current versions of Confluence, JIRA, and BitBucket.

I seem to have this plugin working to the extent that I can:

• Goto Confluence login page with link to crowdUrl/crowd/plugins/servlet/ssocookie?redirectTo=dashboard.action
• That URL responds with a 302 to our IdP generating the SAML request, and giving a 302 to our login page with a jsessionid included in the URL, which I'll call JID#1
• I auth against the IdP sucessfully, which responds with a 302 to crowdUrl/Shibboleth.sso/SAML2/POST
• That POST URL responds with a 302 back to ssocookie?redirectTo=dashboard.action
• That URL then responds with a 301 to ssocookie;jsessionid=JID#2?redirectTo=dashboard.action. Please note this jsessionid is different than the first one; not sure if that makes any difference
• Browser then follows that 301, and get's returned a 404 by Tomcat, with an error of:
  The requested resource is not available

Here's the interesting thing.... I can then go to the confluence URL and I have an active session.

Couple of the causes I can certainly imagine are:

• This plugin states it's not compatible beyond 2.7 or 2.8 due to breaking API changes
• I'm new to Atlassian products and I'm doing my 'redirectTo's wrong.
• Something else?

There's no WARNs or ERRORs listed in atlassian-crowd.log. I'm not also seeing anything in the shib logs.

I'll continue to research this and see if I can make it work. Seems like if I can resolve this issue, I'll have a sucessfull instance of Crowd 2.12.0 & Shibd/NGINX working with latest revisions of the other Atlassian products. Hoping to get this online, and contribute my notes of getting it online for others. Thanks to all for any help you might provide.

Hi !

I'm currently testing this cool plugin but i don't know how the sync url should look like.

The Sample File says only ...
#New user sync urls for apps
#sync.appname1=url to call with password parameter

Can you give me a example url for confluence and jira please ?

thanks !