Confluence SSO

Applications

Atlassian

Confluence

CNF Security

This documentation is not yet complete. Refer to the Jira SSO documentation for general guidance relating to initial setup. Note that you may need a later version of the SSO Plugin in order to enable integration with Azure AD.

Disable Websudo

Bypassing SSO

Assumptions

Check SAML Configuration

Update SAML Configuration

Check SSO Status (Database)

Bibliography

Disable Websudo

"Websudo" controls the time limited escalation of privileges, but does not work with Azure AD SAML authentication.

If you have already enabled SSO as primary authentication you won't be able to obtain the admin privileges you need to turn off websudo. See the notes on bypassing SSO in order to work around this if necessary.

Choose the cog icon , then choose General Configuration
Choose Security Configuration in the left-hand panel.
Choose Edit.
Uncheck the "Secure administrator sessions" checkbox.
Click Save

Bypassing SSO

You may need to do this if you have enabled SSO but have left websudo enabled.

Assumptions

You have a non-SAML admin user configured in Confluence with a known password.
You have a REST tool able to make GET and PUT requests. These instructions use the Insomnia tool.

REST

Check SAML Configuration

In Insomnia...

Create a new request (My Request)
Select "Basic" authentication and enter the username and password of the non-SSO admin user
Select "GET" from the dropdown in the white bar at the top. Enter https://yourConfluenceServer/rest/authconfig/1.0/sso
Click "Send"
Return code should be 200
The Preview should show the certificate and the values of various configuration items. We are interested in "allow-redirect-override"

Update SAML Configuration

Select "PUT" from the dropdown. Enter https://yourConfluenceServer/rest/authconfig/1.0/sso
Select "Basic" authentication and enter the username and password of the non-SSO admin user

(this is almost certainly already set from the check steps above)

In the "Body" tab select "JSON".
Paste the following...

(using the Check step above to confirm the format is correct).

{

"allow-redirect-override": true

}

Click "Send".
Return code should be 200

Use auth_failback=true to bypass SSO. Enter https://yourConfluenceServer/login.action?auth_fallback=true.

Consider the security ramifications of this change. If the risk is considered unacceptable, consider using the method above to enable admin access only when required. To revert this functionality, repeat the steps above with: "allow-redirect-override": false

Check SSO Status (Database)

The SSO configuration can also be checked directly in the database as well through the following query:

SELECT *

FROM bandana

WHERE bandanakey LIKE 'com.atlassian.plugins.authentication.sso.config%';

Bibliography

https://confluence.atlassian.com/doc/configuring-secure-administrator-sessions-218269595.htmlhttps://confluence.atlassian.com/doc/recognized-system-properties-190430.htmlhttps://confluence.atlassian.com/doc/configuring-system-properties-168002854.htmlhttps://confluence.atlassian.com/jirakb/bypass-saml-authentication-for-jira-data-center-869009810.htmlhttps://confluence.atlassian.com/confkb/enable-default-login-page-to-bypass-saml-in-confluence-data-center-957972845.htmlhttps://insomnia.rest/

Page updated

Google Sites

Report abuse