Users from Crowd-directories can be authenticated by the SAML-Addon, but there is a limitation:
If the user directory in Crowd is a remote directory (e.g. LDAP) or delegates authentication (e.g. to a LDAP-server), it can happen that the user is not found during the SAML login processes. Updating a user from a remote directory is tied to the authentication process which is not happening because the user has already been authenticated by the SAML Identity Provider.
To solve this, we provide an addon for Crowd to trigger the required fetch from the remote directory. This Addon provides a REST-endpoint
/rest/de.resolution.updateuserfromremotedirectory/1.0/ which always returns 204 (no content). When receiving a PUT-request containing the userid, the user is searched and if available updated in Crowd's remote directories.
Starting with version 2.0.11, the SAML Single Sign On allows sending this PUT-request to Crowd. This can be enabled with the checkbox "Trigger update in Crowd".
Install the Crowd addon
- Download the Addon from http://builds.resolution.de/release/update-user-from-remote-directory-1.2.0.jar
- Copy it to the plugins folder of your Crowd instance (e.g. /var/crowd-home/shared/plugins)
- Restart Crowd
Verify the installation by sending a PUT-request to the REST-endpoint, e.g. using curl and check that the result is
204 No Content:
You need to do this from the application host, where SAML SSO is installed, i.e. Jira or Confluence. The test will also reveal, if there are any connectivity- or certificate issues.
curl -v -X PUT http://<CROWD>/crowd/rest/de.resolution.updateuserfromremotedirectory/1.0/ * Trying 220.127.116.11... * TCP_NODELAY set * Connected to <CROWD> (18.104.22.168) port 8095 (#0) > PUT /crowd/rest/de.resolution.updateuserfromremotedirectory/1.0/ HTTP/1.1 > Host: crowd31.lab.resolution.de:8095 > User-Agent: curl/7.54.0 > Accept: */* > < HTTP/1.1 204 No Content < X-ASEN: SEN-L10707859 < X-Content-Type-Options: nosniff < Date: Mon, 05 Mar 2018 12:39:56 GMT < * Connection #0 to host crowd31.lab.resolution.de left intact