Documentation This documentation applies only to iceScrum v7.
For old iceScrum R6, read the documentation or migrate.
-
1 - Install or Upgrade
-
2 - Getting started
-
3 - Core features
4 - Apps & integrations
Neatro
Companion
MURAL
Microsoft Teams
Discord
iObeya
Zoom
Google Hangouts Meet
Jamboard by Google
Miro
Jitsi Meet
Mattermost
Custom project dashboard
Agile KPIs
Webhooks
Forecast
Agile fortune
SAML Authentication
Labels
Share
Zapier
Story workflow
FeatureMap
Time tracking
Diagrams & mockups
Epic stories
Portfolio
Project Roadmap
Toolbox
External authentication
Continuous integration
Cloud attachments
Team capacity
Bug trackers
LDAP / Active Directory
Slack
Project administration
User administration
Server administration
Git & SVN
Data export
Mood
Excel import
Task responsible
Story vote
Story template
Apps & integrations
Custom Backlogs
-
5 - Migration
-
Integrates iceScrum with your existing Single Sign On (SSO) provider
Principles
Unlike most Apps, the External header authentication App is server-wide. This means that it cannot be used on iceScrum Cloud. Otherwise, if your license includes it, then it will be available automatically.
The External header authentication app is used when authentication is handled by an external SSO provider. It will allow user authentication based on HTTP request headers. The External header authentication App should only be used when iceScrum is accessed through an SSO agent.
Users are authenticated based on the value provided in the username HTTP-header. iceScrum tries to match the provided username within its own user base in order to authenticate the user.
If there is no match, a new external user will be created on the fly based on provided information. This authentication provider works only for users which are typed as “external”.
User management
Users are created when no match is found on user name within iceScrum own userBase. New users are created as external user based on information provided in 4 HTTP-Headers :
- username
- firstname
- lastname
External users cannot authenticate using the standard login form as they do not specify a password. The app configuration let you change the header names in which iceScrum will read.
Please note that in this configuration iceScrum will authenticate users based on provided username, without any other kind of credentials. This presumes that authentication is handled by an external service and that iceScrum should not be directly accessed by end users without going through this service.
The users created this way will also be updated in iceScrum if the first name, last name or email address have changed.
However, users created on the fly in iceScrum will not be deleted or disabled automatically. You might want to handle the off-boarding procedure separately, and you will be able to do it using iceScrum Web API.
Configuration
You need to log in as administrator in order to configure HTTP-header authentication. You will find these settings in the “Settings – >Pre authentication” menu.
- Enable header authentication: Enable header authentication will allow user authentication based on provided HTTP request header. This is intended to be used when authentication is handled by an external SSO provider. Do not enable it carelessly as it will strongly impact iceScrum security.
- Enforce header authentication: If enabled, iceScrum will allow only header authentication and throw an exception if the username header is missing. Note this will disable other authentication providers such as admin and web API access.
- Username header: Name of the HTTP request header containing the username name info. It is the main attribute used for user authentication and iceScrum will try to match it within its own user base.
- First name header: Name of the HTTP request header containing the first name info. (required)
- Last name header: Name of the HTTP request header containing the last name info. (required)
- Email header: Name of the HTTP request header containing the email info. (required)
- Logout redirect URL: Where to redirect user after logout. Intended to be used to redirect to external SSO provider logout page.
A server restart is needed for these settings to be taken into account.
