Grouper LDAP configuration

JIRA already has built-in support for several LDAP directories and generic OpenLDAP is among them.

Go to User Management and click User Directories > Add Directory and pick LDAP as the type, later specify it as OpenLDAP

Enter configuration as specified:

 

Server Settings
  Name: Grouper LDAP
  Hostname: authz.geant.org
  Username: cn=Management,dc=geant,dc=org
  Password: ***

LDAP Schema
  Base DN: o=GN4Phase1,dc=geant,dc=org
  Additional User DN: ou=people
  Additional Group DN: ou=groups

LDAP Permissions
  (*) Read Only

Advanced Settings
  [x] Enable Nested Groups

User Schema Settings
  User Object Class: inetOrgPerson
  User Object Filter: (&(objectClass=inetOrgPerson)(eduPersonPrincipalName=*))
  User Name Attribute: eduPersonPrincipalName
  User Name RDN Attribute: employeeNumber
  User Display Name Attribute: cn

Group Schema Settings
  Group Object Type: groupOfNames
  Group Object Filter: (objectclass=groupOfNames)

Membership Schema Settings
  Group Members Attribute: member
  User Membership Attribute: isMemberOf

 

And then click Save and Test.

NOTE: Test should show first connectivity test as positive and rest as skipped (due to not being asked to perform them).

 

 

If all went OK, either click on Back to directory list or just click User Directories from left menu and then click Synchronize to initiate first synchronization.

At the moment of writing this took around 2 minutes to complete and imported 384 users and 321 groups

Allow application access

In order to let federated users to log in, they all must belong to a group that is granted the application access permission.

Go to JIRA Administration > Applications > Application access

And there select the group name from the list that all users belong to who need access. For GÉANT 4 Phase 1 that was named GN4-1_PP (as in Project Participants).

 

 

SAML login

Installing SAML plugin

SAML login is based on SAML 2.0 Single Sign-On for Jira plugin by Bitium, Inc. Search for it in the marketplace and install it.

 

 

At the time of writing the plugin is at version v 1.0.3 which does not have all patches created during GN4 phase 1, but the essentials to allow federated login.

Configuring SAML plugin

After installing the plugin, proceed to configure the plugin.

 

Login URL: https://login.terena.org/wayf/saml2/idp/SSOService.php
UID Attribute: TAL:federated_user_id
X.509 Certificate:
-----BEGIN CERTIFICATE-----
MIICGTCCAYICCQCTYS2pMIdaaDANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJOTDELMAkGA1UECBMCTkgxEjAQBgNVBAcTCUFtc3RlcmRhbTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMB4XDTEwMDkwMTE4NTMyMFoXDTM4MDExNjE4NTMyMFowUTELMAkGA1UEBhMCTkwxCzAJBgNVBAgTAk5IMRIwEAYDVQQHEwlBbXN0ZXJkYW0xITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvhzp9Tk7zQC+q5cpS36FMaaX3uQp6Sksnh+EnFtKFKeR4lKPmmgCSmVZkFdkgd7cE/vfFBInrQdb2rvLZrICdQbyLDuhQJUyqZHK52nbtP5FNcRN7V9LjpBB3CsUznenQoJLrpdPogSMDlSPjeLTaeB697EdZTt7IAmWDQmWWb8CAwEAATANBgkqhkiG9w0BAQUFAAOBgQAbKXFszQd2En/pqaxHWPISCqcpPfAxXXm7PNZ+sem6TYbtJuY7V68T1izuvax10FFgXBoltLKTg9IOdou6ZO+g5JrdMq1sOCQL/kILdmaIUZjm/hIeoygbwN3I0LhoxZbJqgWT5+gLtb+7JGRmbs8WE/3/Wm5i17ITMxptGjZQnQ==
-----END CERTIFICATE-----

Entity ID: https://login.terena.org/wayf/saml2/idp/metadata.php
Default Group for Auto-created Users: jira-software-users

 

 

 

 

IMPORTANT: Do not check Force SSO login nor Auto-create User. This allows login from local users too and will authorize only those users that exist in the Grouper LDAP. The default group is set just in case, as autocreated admin users are not that good idea.

 

When configuration is saved, open another browser to see that login form now includes Use Corporate login button. Clicking on that should redirect to GÉANT SP Proxy and give you a Metadata not found error (which we'll tackle next). Sometimes the button does not appear every request - a reload should help.

Connecting metadata

To connect JIRA to SP Proxy, forward following metadata to Dick Visser <dick.visser@geant.org>. Of course adjust it to match actual server name and contact information:

 

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://JIRA_HOSTNAME:443/jira/jiraSAML">
  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://JIRA_HOSTNAME/jira/plugins/servlet/saml/auth" index="0"/>
  </md:SPSSODescriptor>
  <md:ContactPerson contactType="technical">
    <md:GivenName>Administrator</md:GivenName>
    <md:EmailAddress>JIRA_CONTACT_EMAIL</md:EmailAddress>
  </md:ContactPerson>
</md:EntityDescriptor>
NOTE: The XML contains two references to the JIRA instance, one with port 443 and one without. That is as it is supposed to be - for some reason the plugin creates the URLs that way and the metadata must reflect that.

 

After the metadata is set up the login should be possible. Try to log in and after welcome screen you should be able to browse your profile and see all your Grouper groups listed.
  • No labels