Setting up the Windows domain SSO is not a simple task, as it involves many aspects of your network configuration. It is highly recommended that you work with the product vendor and someone who is familiar with your AD environment to ensure a smooth implementation.
Go through the following steps to set up the Windows domain SSO:
- Shut down Jira if it is running.
- Copy login.conf, krb5.conf, and spnego-exclusion.properties to the JIRA_INSTALL/atlassian-jira/WEB-INF/classes directory.
- Copy appfusions-jira-seraph-4.0.0.jar and appfusions-spnego-r7_3.jar to the JIRA_INSTALL/atlassian-jira/WEB-INF/lib directory.
- Open the web.xml file located in the JIRA_INSTALL/atlassian-jira/WEB-INF directory in a text editor.
- Add the following XML snippet before the THIS MUST BE THE LAST FILTER IN THE DEFINED CHAIN entry. Make sure you update the values for the following parameters:
- For spnego.krb5.conf, use the full path to the spnego.krb5.conf file.
- For spnego.login.conf, use the full path to the spnego.login.conf file.
- For spnego.preauth.username, use the username of the service account.
- For spnego.preauth.password, use the password of the service account:
<filter> <filter-name>SpnegoHttpFilter</filter-name> <filter-class>net.sourceforge.spnego .SpnegoHttpFilter</filter-class> <init-param> <param-name>spnego.allow.basic</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.allow.localhost </param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.allow.unsecure.basic </param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.login.client.module </param-name> <param-value>spnego-client</param-value> </init-param> <init-param> <param-name>spnego.krb5.conf</param-name> <param-value>FULL_PATH/krb5.conf </param-value> </init-param> <init-param> <param-name>spnego.login.conf</param-name> <param-value>FULL_PATH/login.conf </param-value> </init-param> <init-param> <param-name>spnego.preauth.username </param-name> <param-value>SPN_USERNAME</param-value> </init-param> <init-param> <param-name>spnego.preauth.password </param-name> <param-value>SPN_PASSWORD</param-value> </init-param> <init-param> <param-name>spnego.login.server.module </param-name> <param-value>spnego-server</param-value> </init-param> <init-param> <param-name>spnego.prompt.ntlm</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.logger.level</param-name> <param-value>1</param-value> </init-param> <init-param> <param-name>spnego.skip.client.internet </param-name> <param-value>false</param-value> </init-param> </filter>
- Add the following XML snippet before the login entry:
<filter-mapping> <filter-name>SpnegoHttpFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
- Open the seraph-config.xml file located in the JIRA_INSTALL/atlassian-jira/WEB-INF/classes directory in a text editor.
- Locate the line that contains com.atlassian.jira.security.login.JiraSeraphAuthenticator. Comment it out so that it looks like the following:
<!-- <authenticator class= "com.atlassian.jira.security .login.JiraSeraphAuthenticator"/> -->
- Add the following XML snippet under the line that's been commented out:
<authenticator class="com.appfusions.jira.SeraphAuthenticator" />
- Restart Jira.
- Add your Jira's URL to the local intranet zone in your browser.
Once Jira is restarted, you should be automatically logged in every time you log into the Windows domain. Make sure you also have a backup copy of the file before making any changes.