Confluence SSO

This documentation is not yet complete. Refer to the Jira SSO documentation for general guidance relating to initial setup. Note that you may need a later version of the SSO Plugin in order to enable integration with Azure AD.

Disable Websudo

"Websudo" controls the time limited escalation of privileges, but does not work with Azure AD SAML authentication.

If you have already enabled SSO as primary authentication you won't be able to obtain the admin privileges you need to turn off websudo. See the notes on bypassing SSO in order to work around this if necessary.

  • Choose the cog icon , then choose General Configuration

  • Choose Security Configuration in the left-hand panel.

  • Choose Edit.

  • Uncheck the "Secure administrator sessions" checkbox.

  • Click Save

Bypassing SSO

You may need to do this if you have enabled SSO but have left websudo enabled.

Assumptions

  • You have a non-SAML admin user configured in Confluence with a known password.

  • You have a REST tool able to make GET and PUT requests. These instructions use the Insomnia tool.

Check SAML Configuration

In Insomnia...

  • Create a new request (My Request)

  • Select "Basic" authentication and enter the username and password of the non-SSO admin user

  • Select "GET" from the dropdown in the white bar at the top. Enter https://yourConfluenceServer/rest/authconfig/1.0/sso

  • Click "Send"

  • Return code should be 200

  • The Preview should show the certificate and the values of various configuration items. We are interested in "allow-redirect-override"

Update SAML Configuration

(this is almost certainly already set from the check steps above)

  • In the "Body" tab select "JSON".

  • Paste the following...

(using the Check step above to confirm the format is correct).

{

"allow-redirect-override": true

}

  • Click "Send".

  • Return code should be 200

Use auth_failback=true to bypass SSO. Enter https://yourConfluenceServer/login.action?auth_fallback=true.

Consider the security ramifications of this change. If the risk is considered unacceptable, consider using the method above to enable admin access only when required. To revert this functionality, repeat the steps above with: "allow-redirect-override": false

Check SSO Status (Database)

The SSO configuration can also be checked directly in the database as well through the following query:

SELECT *

FROM bandana

WHERE bandanakey LIKE 'com.atlassian.plugins.authentication.sso.config%';