Authentication options for on-premises and cloud users (LDAP, AD, Crowd, SSO, SAML)

By Alexander posted 04-01-2015 18:13

  

Jama Software offers several options for authentication beyond our native simple-authentication method. However, the differences between these options can be subtle, and they tend to start looking a bit like alphabet soup to an uninitiated user. This article is meant to demystify those differences and what your options are depending on where your Jama Software instance is hosted; for more technical implementation details, please see our help guide or open a Support ticket.

 

Please note that, whichever authentication scheme you use, Jama Software will be unable to fall back on native authentication for any users; if you have any task-specific users in Jama Software (for example, a designated JIRA-to-Jama Software sync user), you’ll need to make sure that user has credentials in your external authentication system as well.

 

What are my options for an on-premises environment?
For our on-premises environments, we offer three different options for authentication:  LDAP, Active Directory, Atlassian Crowd and SAML. Each is a single sign-on system and functions in roughly the same way; however, small implementation details exist between the three.


  • LDAP is our most commonly-used integration, as it is a well-established open-standard protocol for providing identity and directory services.
  • Active Directory (AD) is a Microsoft Windows-based implementation of LDAP; its management is tightly integrated into Windows and may be a better choice if your organization is already familiar with administering Windows Server machines. Its implementation in Jama Software is essentially the same as LDAP’s and should behave equivalently.
  • Crowd is Atlassian’s web-based directory service. It features the most robust user interface and has a few extra features (such as the ability to batch-import users and groups into Jama Software).
  • SAML offers a simple solution which requires much more direct interaction between the user and the authentication system. SAML is now available in the Jama Connect 8.31 release!

 

What are my options for a cloud environment?
 In our hosted offering we offer SAML, which pass the user’s username and password to the authentication system and receive a verification token back, SAML redirects users to a third-party authentication provider to input their credentials. This means that Jama Software does not handle any credential information at all, but it requires more direct interaction between the user and the authentication system. This exchange is generally handled by a third-party identity provider rather than by an in-house administrator.

 

#administration

updated content 11/8/2018

4 comments
464 views

Comments

09-17-2018 22:26

​We have a problem that can only be fixed by SAML and are very disappointed Jama on-prem does not offer this.

08-26-2015 05:38

Alexander, thanks for your statement!

Cheers,
Sebastian

08-25-2015 15:02

Hi Sebastian,

Thanks for the question! Jama's LDAP/AD authenticator does not support true single sign-on through a secondary application, mostly because we want to avoid earmarking floating licenses for users who are not actually using the system. There may be third-party tools which can negotiate the sign-on process once a user hits the login page, but I don't know of any off-hand and can't say whether they'd be compatible with Jama.

Our SAML implementation, described above for our hosted environment, works as you've described by authenticating a user in the background only after he or she has navigated to the Jama application. I'm not aware of any plans to port that service to our on-premises application at this time.

Cheers,
Alexander

08-24-2015 11:24

Alexander, is it possible to enable an automatic sign-on (real single sign on) for JAMA? 

I would expect that JAMA takes the MS Windows credentials automatically. Thus, the login page would be obsolete. We have to change our passwords regularly. And it takes some time to adapt all passwords in all applications. However, our IT department introduced some new tools which use the Windows login to log into the application automatically (e.g. MS Sharepoint). Is this also possible for JAMA?

We are using LDAP/AD and an on-prem installation.

Best regards,
Sebastian