Kantega Single Sign-on (SSO) gives you the easiest way to set up single sign-on for your Atlassian server products.
We proudly provide support for both the two single sign-on protocols Kerberos and SAML.
In addition, we have built connectors for synchronizing users and groups from popular cloud-based user directories. This enables you to manage your users' roles for your Atlassian server products in one centralized place.
Using our add-on makes it possible to combine Kerberos, SAML and regular username/password-based login flexibly set up in your own desire.
So what SSO solution do I choose, you say?
The two mechanisms we have chosen to have support for, Kerberos and SAML, are what we reckon as the most world-wide used and secure. They have at the same time quite different characters.
Kerberos is set up to offer “invisible” SSO by having your browser deliver what is called a Kerberos ticket to our add-on telling what user securely log in. Often Kerberos is a preferred solution in a Windows based environment where your login to the Windows machine will be used to establish your identity in the Atlassian server product. Kerberos has the restriction of requiring that the client machine has access to a KDC, Key Distribution Center which in Windows is an Active Directory. This makes it most preferable when users exist within a local area network.
SAML is a much more flexible and widespread solution than Kerberos. It offers you the ability to identify users in your Atlassian server products via all SAML 2.0 based services on the web. And there are probably thousands of these services. We have prepared wizard support or guides to the 10-15 most common of these, but you should be able to connect to all SAML 2.0 compatible services.
SAML is operating somewhat different than Kerberos. In SAML, your users are, when they access the Atlassian server product without a valid login, redirected to an Identity Provider (IP) login portal. This is typically a centralized web service for establishing users’ identities. Typically, an organization will strive to set up all web solutions to use such a centralized IP based login portal making login for users recognizable.
This way SAML may be considered somewhat more “visible” to the user than Kerberos, but it does not require the user having access to a KDC.
Therefore, organizations often prefer to set up Kerberos for the most hassle-free login experience when the user is present at his desktop machine on the office. While SAML is set up in addition for enabling the user to log in when she is on the run outside the office or when accessing from cellphones or other non-Kerberos compatible devices.
Below you will find additional details about all the features of Kantega Single Sign-on.
And do not hesitate to contact us in case you have questions.
Sincerely, the Kantega Atlassian Support team
See also our Kantega Single Sign-on FAQ
Kerberos SSO gives the end user access to Atlassian products without entering a user name and password. Kerberos is typically used in an enterprise LAN, and is the preferred choice for Kerberos domains such as Windows domains and Microsoft Desktop environments.
Configuring Kerberos Single Sign-on
- Browser configuration guide
- Create a keytab file
- Encryption strength and configuring AES-256
- Running behind HTTP(s) proxy servers
- Supporting multiple domains / keytabs
- Kerberos for Git clients
The SAML standard facilitates secure exchange authentication and authorization information, so users are allowed to login to the Atlassian products through third party identity providers.
Configuring SAMLSingle Sign-on
- Azure Active Directory (Azure AD)
- Google G Suite
- Active Directory Federation Services (AD FS)
- Ping Federate