Atlassian Crowd (http://www.atlassian.com/software/crowd/) offers a simple solution for single sign on. It comes with an authentication server, a web based administration console and Java client libraries. Other Atlassian products such as Jira, Confluence and Bamboo integrate with Crowd.
With the crowd_rails plugin, Ruby on Rails can also benefit from single sign on with Atlassian Crowd 2.0.
Installing the Plugin
The plugin is available at
http://github.com/stefanwille/crowd_rails
To install the crowd_rails plugin, run
gem install crowd_rails
gem crowd-stefanwille
crowd-stefanwille is a Ruby client library for Crowd, and crowd_rails is the Rails plugin.
Installing a Crowd Server
Beyond these gems, you will also need a Crowd server with version 2.0 or greater.
The easiest way to get started is to install an evaluation copy of Crowd on your local machine.
After you have installed your local Crowd server, test it using its demo application. Go to
http://localhost:8095/demo
Make sure that you can log in.
Running the Demo Application
On Github you can clone a simple demo application that uses crowd_rails for authentication. The URL is:
http://github.com/stefanwille/crowd_rails_test
To run it, you will need
- a Crowd server on localhost, port 8095
- an application configured in Crowd with app name and password ‘soaptest’
- the application ‘soaptest’ set ‘directory’ set to ‘True’
Type
git clone git@github.com:stefanwille/crowd_rails_test.git
cd crowd_rails_test
bundle install
ruby script/server
And then point your browser to
http://localhost:3000/demo
You will get the browser’s log in dialog. When you enter correct credentials, you will see a success page. Next, you can try if you are also logged in for Crowd’s demo application, which should run at
http://localhost:8095/demo
on your local Crowd server.
Using the Plugin
To use the plugin in your own application, you need to configure the Crowd client library and then mix the module Crowd::SingleSignOn into your ApplicationController.
Add a file
config/initializers/crowd_setup.rb
and this content:
require ‘crowd’
Crowd.crowd_url = ‘http://127.0.0.1:8095/crowd/services/SecurityServer’
Crowd.crowd_app_name = ‘soaptest’
Crowd.crowd_app_pword = ‘soaptest’
Crowd.crowd_validation_factors_need_user_agent = false # false for Crowd 2.0.5, true for Crowd 2.0.2
Crowd.crowd_session_validationinterval = 0 # Set > 0 for authentication caching.
This file contains the Crowd configuration for your application. Change the configuration according to your needs.
Then add this to your ApplicationController class:
class ApplicationController < ActionController::Base
include Crowd::SingleSignOn…
before_filter :authenticateprivate
def authenticate
return if RAILS_ENV == “test”return if crowd_authenticated?
authenticate_or_request_with_http_basic(‘My Application’) do |user_name, password|
crowd_authenticate(user_name, password)
end
end
end
This will give you the browser’s grey password dialog (aka ‘basic auth’). Replace the call to Rails’ authenticate_or_request_with_http_basic() that asks the user for username and password if you want something fancier.
The demo app uses the same basic auth approach.
Log Out
There is little gotcha with respect to log out. The plugin offers the method crowd_log_out, which is also used in the demo application. The problem is that basic authentication makes it more or less impossible to log a user out, because the browser keeps sending the user’s crendentials with every request. So if you want a log out feature, you need to replace basic authentication with a login form.
Interoperability
I haved tested crowd_rails plugin with Crowd 2.0.2 and 2.0.5. Also, I tested single sign on interoperability with Jira, Confluence and Bamboo.
Hi Stefan,
Do you have plans to support Crowd 2.1?
Thks,
Simao
Hmmmm… a REST API in Crowd 2.1… much more tasty than the old SOAP API…. we’ll see
Hi Stefan,
I want to use this plugin for SSO. But I am unable to implement it correctly and I need your help for below mentioned queries.
I have a web app say, “mywebapp” and I have a tab for which I want to implement SSO. I want to access ‘Pentaho(an application for creating and analyzing reports)’ using the tab in my app.
So in this case how to implement this plugin. What should I change in the crowd_setup.rb and in application controller.
In Setup.rb
Crowd.crowd_url = ‘http://127.0.0.1:8095/crowd/services/SecurityServer’ ## do i need to change this url too ?
Crowd.crowd_app_name = ‘soaptest’ ### which app name is this ? (is it my web app name)
Crowd.crowd_app_pword = ‘soaptest’ ### what is the password should I give here.
Crowd.crowd_validation_factors_need_user_agent = false # false for Crowd 2.0.5, true for Crowd 2.0.2
Crowd.crowd_session_validationinterval = 0 # Set > 0 for authentication caching.
in Application Controller
authenticate_or_request_with_http_basic(‘My Application’) do |user_name, password|
crowd_authenticate(user_name, password)
What should be the Appliction Name, user_name and password here ?
Hope I am able to make you understood what I want.
Waiting for your reply
Regards
Is the plugin Rails3 compatible?
Hi Ringo, I developed it with Rails 2 and didn’t test it with Rails 3. I don’t see why it shouldn’t work with Rails 3 though.
Arun, I answered via email.
hey Stefan, I’m hoping to use your library to interface with the NHL’s implementation of the Crowd SSO. I’m leanring SOAP and I’m wondering what is the appName.
I’ve got a few credentials from the NHL, login, passord, wdsl, test server and production server urls, but none of these appear to work as an app name and every example I’ve seen, including the examples the NHL gave me use “example” as the appName. meaning, not the real app name.
My question is similar to Arun’s in that I’m not sure where to find this info. Any help is appreciated as my deadline looms.
Hey, is the plug-in compatible with CROWD 2.2??
Please let me know
Thanks in advance.
Hi Farukh, I didn’t test the plugin with Crowd 2.2 yet.
Hi Lawrence, in the Crowd server, you set up different application. An application can be Jira on server1.xyz.com or Confluence on server2.xyz.com… or your own application. When you add a new application, you define a name (= appname), server, password and so on. The appname is used to identify this particular instance of your application. The documentation describes this in
http://confluence.atlassian.com/display/CROWD/Adding+an+Application#AddinganApplication-add
The documentation describes the application name like this:
Name – The username which the application will use when it authenticates against the Crowd framework as a client. This value must be unique, i.e. it cannot be used by more than one application client.
Hi Stefan, I am planning to implemet SSO for multiple web applications. I will be allowing my users to login to any one of the 5 applications or all the 5 applications usng their google / yahoo / twitter login credentials. Is there any possibility to have authorization to application access at the user level.
Thanks
Barak
Hello Barak, as far as I know there is no bridge from Crowd to google / yahoo / twitter.
But if there is, then you can access the user id from your application before and after authorization via the API of this plugin.