Single Sign On For Walmart
Single Sign On for JIRA & CONFLUENCE
miniOrange SAML SSO with Direct Node URL Access for DC maintenance and One Click Migration of users from Crowd.
Walmart Inc. is an American multinational retail corporation that operates a chain of hypermarkets, discount department stores, and grocery stores from the United States, headquartered in Bentonville, Arkansas.
Supported Use cases and their solutions with our Single Sign-On
Walmart approached us as they wished to enhance their end-user experience by integrating SAML based Single Sign-On (SSO) for Jira and Confluence into their current authentication process. Our Single Sign-On solution for Jira and Confluence fulfilled this requirement.
They also had some additional requirements with their Data Center (DC) setup stated below. We developed custom solutions for each of them -
Walmart wanted to migrate their users and groups from the Crowd to Jira and Confluence. We provided them with the “One-Click Migration” feature to help in the migration process with zero downtime. It helped them reduce the resources spent on maintaining the Crowd server.
As a part of SSO, while replicating their SAML IDP user group structure in Jira and Confluence, it was noticed that the group names received from the SAML IDP were different and in an incompatible format compared to Jira & Confluence. To overcome this, we provided “On the Fly Group Name Transformation”, which helped transform IDP group names to Atlassian’s application Group names.
In addition to this they needed support for “Anchored SAML authentication”, as required by their IDP. We added this as an advanced option in our plugins so that they could enable this extra layer of security.
With Data Center having multiple instances, Walmart wanted administrators to access specific Jira or Confluence instances directly after SSO. For this “Direct Node URL Access for DC maintenance” feature is provided.
Also, Walmart has a very high load environment, with a large number of concurrent login attempts. Commensurately, this meant that our SSO solutions would have to be able to handle this load.
Lastly, they wanted to restrict Jira and Confluence REST API’s access so that only service accounts could access them. “Group Based Restriction” was provided here where the end-users are restricted using APIs with their AD passwords.
Key Benefits
Allowed their admin to login into specific instances by performing SSO which helped them in debugging issues
It made it easier for Walmart to migrate users and groups from Crowd to other Atlassian apps with 0 downtime.
Access to REST API's was restricted to only those users who were present in the assigned groups.
How does it work?
miniOrange provided Walmart with a couple of applications and customizations, here’s the working.
miniOrange SAML Single Sign On (SSO) Add-On acts as a SAML Service Provider which is configured to establish the trust between the Atlassian applications and Walmart’s SAML IDP as a Identity Provider, to securely authenticate the user.
The Service Provider sends the SSO Request to SAML IDP for authentication. SAML IDP sends back the SSO Response to the Service Provider. On receipt of the SSO Response, the user is granted access to login and access the Atlassian application.
"One-Click Migration" helped Walmart to get rid of their dependency on Crowd and manage identities on IDP itself. We check if the users and groups present in Crowd are missing in the Atlassian application and then create them in that application.
"On the Fly Group Name Transformation" feature extracts the group name (incompatible format) and transforms it to a compatible format. It then maps identical groups and creates groups that are missing in the Atlassian application.
“Anchored SAML authentication” feature allows the addition of a signing certificate to the SAML requests and responses in addition to the typical assertion encryption.
In "Direct Node URL Access for DC maintenance" plugin identifies the DC instance from where the request is initiated and reposts the SAML response to same instance. The plugin reads the response and allows the administrator to login.
"Group Based Restriction" uses miniOrange REST API plugin which checks the username of the user whenever a REST API call authentication is performed. The user is allowed only if the user is part of that group.
SAML Single Sign on is the best add-on that works with all Identity Providers, and is able to handle the high load of concurrent login requests in Walmart’s environment. Users can sign into Atlassian application with your SAML 2.0 capable Identity Provider. We support all known IdPs - Google Apps, ADFS, Azure AD, Okta, OneLogin, Salesforce, Shibboleth, SimpleSAMLphp, OpenAM, Centrify, Ping, RSA, IBM, Oracle, Bitium, WSO2, NetIQ, miniOrange, etc.
For Walmart, our product proved to be the best. What about you? If you don’t find what you are looking for, please contact us at info@xecurify.com or call us at +1 978 658 9387 to find an answer to your question about Single Sign-On(SSO).