External authentication – iceScrum

Documentation This documentation applies only to iceScrum v7.
For old iceScrum R6, read the documentation or migrate.

Integrates iceScrum with your existing Single Sign On (SSO) provider


Unlike most Apps, the External header authentication App is server-wide. This means that it cannot be used on iceScrum Cloud. Otherwise, if your license includes it, then it will be available automatically.

The External header authentication app is used when authentication is handled by an external SSO provider. It will allow user authentication based on HTTP request headers. The External header authentication App should only be used when iceScrum is accessed through an SSO agent.

Users are authenticated based on the value provided in the username HTTP-header. iceScrum tries to match the provided username within its own user base in order to authenticate the user.

If there is no match, a new external user will be created on the fly based on provided information. This authentication provider works only for users which are typed as “external”.

User management

Users are created when no match is found on user name within iceScrum own userBase. New users are created as external user based on information provided in 4 HTTP-Headers :

  • username
  • firstname
  • lastname
  • email

External users cannot authenticate using the standard login form as they do not specify a password. The app configuration let you change the header names in which iceScrum will read.

Please note that in this configuration iceScrum will authenticate users based on provided username, without any other kind of credentials. This presumes that authentication is handled by an external service and that iceScrum should not be directly accessed by end users without going through this service.

The users created this way will also be updated in iceScrum if the first name, last name or email address have changed.

However, users created on the fly in iceScrum will not be deleted or disabled automatically. You might want to handle the off-boarding procedure separately, and you will be able to do it using iceScrum Web API.


You need to log in as administrator in order to configure HTTP-header authentication. You will find these settings in the “Settings – >Pre authentication” menu.

  • Enable header authentication: Enable header authentication will allow user authentication based on provided HTTP request header. This is intended to be used when authentication is handled by an external SSO provider. Do not enable it carelessly as it will strongly impact iceScrum security.
  • Enforce header authentication: If enabled, iceScrum will allow only header authentication and throw an exception if the username header is missing. Note this will disable other authentication providers such as admin and web API access.
  • Username header: Name of the HTTP request header containing the username name info. It is the main attribute used for user authentication and iceScrum will try to match it within its own user base.
  • First name header: Name of the HTTP request header containing the first name info. (required)
  • Last name header: Name of the HTTP request header containing the last name info. (required)
  • Email header: Name of the HTTP request header containing the email info. (required)
  • Logout redirect URL: Where to redirect user after logout. Intended to be used to redirect to external SSO provider logout page.

A server restart is needed for these settings to be taken into account.

Try it for free now
All you need for your Agile project management