EasySSO License Agreement
TechTime Initiative Group Limited Software License Agreement
How to install EasySSO 2.5.x and ealier - a step by step guide
Please Note: This page applies to EasySSO versions from 2.5.x and earlier
If you are using version 2.6.0 - 3.4.x – please read instructions on EasySSO Get Started - for 2.6.x - 3.4.x page instead.
If you are using later versions – please read instructions on the Getting Started with EasySSO all-in-one home page.
If you have any questions please reach out to our support via our ServiceDesk
Follow these step by step instructions to configure EasySSO
Before you begin - The most important part of the configuration is the domain name and computer account. Please read IOPLEX Jespa Operators Manual about these (page 8). You will need a computer account with a password.
Since creating one requires you to be logged on as AD Admin - we cannot automate this task, please work with your Active Directory administrators on this. IOPLEX Jespa package contains two .vbs scripts that one can run from commandline to assist with this task. One is a full wizard that will create the computer account - you will need to be a domain administrator to be able to do this. The other one can be used by your domain administrators to set a password on computer account if they create it manually.
Obtain EasySSO from Atlassian Marketplace
Obtain license from Atlassian Marketplace
Once installed click Configure in UPM to proceed to the configuration wizard
Obtain and install IOPLEX Jespa library
Read IOPLEX EULA.
Continuing past this point signifies your acceptance of the terms of EULA.
Switch to "EasySSO Configuration" tab and configure parameters required for EasySSO to work.
Please note these parameters are passed to Jespa and as such are described in detail in IOPLEXJespaOperators Manual - PDF is included in the zip and a link to this PDF will appear above configuration parameters form once you upload the Jespa distribution zip - in case you need to study it in more detail.
For the start – leave Kerberos authentication unchecked
Why do we suggest leaving Kerberos unchecked?
Kerberos is notoriously fickle, and in many scenarios doesn't work by design.
NTLM works where Kerberos doesn't. It makes sense to get NTLM working before proceeding to configure Kerberos.
|8||For the start – leave Log4J logging option unchecked.|
|9||Set log file location.||EasySSO will suggest jespa.log file in the logs directory of the application home by default. If not sure – leave as is.|
Set logging detail level.
Logging levels explanation...
Recommended log level for testing is 4 - this will display requests and responses, DNS queries as well as details of communication with Domain Controllers.
For production use levels 1 or 2 is recommended.
Specify DNS name of your domain e.g. mydomain.org
Windows: How to find/confirm the name of your domain...
Obtain a computer Active Directory account with a password in your Domain from your Active Directory Administrator. If this takes more time than expected, you can save the parameters already entered on this screen and return to this screen later.
Please read IOPLEX Jespa Operators Manual about these (page 8). You will need a computer account with a password.
Since creating one requires you to be logged on as AD Admin - we cannot automate this task, please work with your Active Directory administrators on this.
Please pass IOPLEXJespa.zip distribution to them – it contains the Operators Manual and the necessary command-line scripts to help them accomplish this task.
IOPLEXJespapackage contains two .vbs scripts – one script is a full wizard that will create the computer account - you will need to be a domain administrator to be able to run this script. The other one can be used by your domain administrators to set a password on computer account if they create it manually.
Consult with your Domain Administrator if use of "AD Site" is necessary
What is AD site...
Nowadays organisations often use multiple redundant Domain Controllers. They are often organised in groups known as"sites". While an End User workstation may be capable of "seeing" all Domain Controllers and connect to all of them for the sake of disaster recovery, a server often is only able to connect to the closest site (probably co-located in the same datacenter). Your Domain Administrator should be able to identify the name of the site EasySSO should use to discover all available Domain Controllers that are actually useable.
Windows: How to identify what sites are available...
You can attempt to list all sites available to you by running the following command from command-line:
In the example above there is only one Domain Controller and it is in the site "Default-First-Site-Name".
This would be the value to insert into EasySSO parameter "AD Site" in the config screen.
Canonical user account form depends on the format of usernames used in JIRA. Please read IOPLEX Jespa Operators Manual about this. Most installations will use canonical form=2 eg for usernames like "johndoe".
Please specify your login location for fallback when authentication cannot be completed successfully eg /jira/login.jsp
|16||If you are running behind Apache or IIS - please review page 3-4 of IOPLEX Jespa Operators Manual for additional config that needs to be done to these front-facing web servers. If you are using NGINX - see ouron that.|
If you are installing EasySSO into multiple Atlassian applications, that are integrated via Application Links you will need to configure mutual filtering between applications as NTLM/Kerberos is not supported when building or verifying the application link.
This can be done either using IP Filtering or User-Agent filtering to disable NLTM/Kerberos when for example JIRA contacts Confluence and vice versa. User-Agent filtering seems to be preferred by most customers.
In our FAQ we specifically answer the question "My Application Links don't work after installing EasySSO?" with instructions on how to configure User-Agent filtering.
Community/Non-profit license holders - please note that IOPLEX Jespa license is usually not free for community organizations, and you will need to contact sales at ioplex.com to negotiate a discount code. We will appreciate if the order is placed via us - but it's not required. EasySSO will not work with a trial IOPLEX Jespa license after Jespa trial has expired with more than 25 users.
Pair EasySSO with User Management for JIRA and Confluence. Visit the Atlassian Marketplace for more information.
TechTime Initiative Group Limited Software License Agreement
Some questions that we get asked about EasySSO
Enable/Disable EasySSO by proxy IP address
How to enable/disable SSO based on User-Agent string
Step-by-step guide on how to get the logs to troubleshoot EasySSO
What is it? How to configure it?
Describes how to configure the new tab "IP Filtering"
General information about using SAML with EasySSO
How to configure, FAQs and Advanced configuration
General information about using X.509 Authentication with EasySSO
Using HTTP Headers and Request Attributes with EasySSO
How to Configure Guide for EasySSO with NTLM/Kererbos configuration
How to configure
Offer SSO to specific browsers only
How to configure SAML in EasySSO
Describes EasySSO SAML configuration for ADFS
Describes EasySSO SAML configuration for Azure AD
Describes EasySSO SAML configuration for G Suite
Describes EasySSO SAML configuration for PingOne
Describes EasySSO SAML configuration for SimpleSAMLphp
Instructions for advanced configuration of EasySSO
The interplay between EasySSO and IOPLEX Jespa licenses
How to Configure X.509 Authentication
How to Configure Header-based Authentication