Confluence SSO blocks login when enabled

I am using Confluence 5.8.10 and Crowd 2.8.3 running on Ubuntu 14.04.3.

 

In the Confluence Internal Directory, I have just a single user defined named 'atlassian'. 'atlassian' is also an admin user.

 

In Crowd, I have a another user named 'ericg' in both the confluence-users and confluence-administrators groups. I have an application named 'atlassian_confluence' and in the groups tab I see both confluence-users and confluence-administrators. In the authentication test for atlassian_confluence, ericg passes the authentication test.

 

If I return to Confluence and go to the User Directories, the order of the directories is (0) Confluence Internal Directory and (1) Crowd Server. If I test the 'ericg' user with the (1) Crowd Server directory, the authentication test is passed. The (1) Crowd Server is fully synchronized.

 

I can log into Confluence using the 'atlassian' and 'ericg' user without any problems.

 

My /opt/atlassian/confluence/confluence/WEB-INF/classes/seraph-config.xml file contains:

<!-- Default Confluence authenticator, which uses the configured user management for authentication. -->
<authenticator class="com.atlassian.confluence.user.ConfluenceAuthenticator"/>

<!-- Custom authenticators appear below. To enable one of them, comment out the default authenticator above and uncomment the one below. -->

<!-- Authenticator with support for Crowd single-sign on (SSO). -->
<!-- <authenticator class="com.atlassian.confluence.user.ConfluenceCrowdSSOAuthenticator"/> -->

 

So far, so good.

 

So, now, I would like to enable Single Sign On for Confluence, but am having problems. I follow the instructions at Integrating Crowd with Atlassian Confluence.


I change seraph-config.xml to:

 

<!-- Default Confluence authenticator, which uses the configured user management for authentication. -->
<!-- <authenticator class="com.atlassian.confluence.user.ConfluenceAuthenticator"/> -->

<!-- Custom authenticators appear below. To enable one of them, comment out the default authenticator above and uncomment the one below. -->

<!-- Authenticator with support for Crowd single-sign on (SSO). -->
<authenticator class="com.atlassian.confluence.user.ConfluenceCrowdSSOAuthenticator"/>

 

My /opt/atlassian/confluence/confluence/WEB-INF/classes/crowd.properties file looks like:

 

application.name atlassian_confluence
application.password <<password>>
application.login.url http://localhost:8095/crowd/console/

crowd.server.url http://localhost:8095/crowd/services/
crowd.base.url http://localhost:8095/crowd/

session.isauthenticated session.isauthenticated
session.tokenkey session.tokenkey
session.validationinterval 5
session.lastvalidation session.lastvalidation

 

I am certain my application.name and application.password are both set correctly.

However, now I can no longer log into Confluence with either the 'atlassian' or 'ericg' user. What especially surprises me is that the 'atlassian' user no longer works. Why would that be?

I do stop and start the Confluence service while editing the seraph-config and crowd.properties.

What am I doing wrong?

I do also have JIRA and Stash installed and SSO w/Crowd works perfectly with both of them.

If further details are needed, please let me know.

 

3 answers

1 accepted

The problem turned out to be inside of Crowd with how the 'atlassian_confluence' Application was configured. I ran 'tail -f atlassian-crowd.log' and then tried to log into Confluence with SSO enabled. I saw a bunch of errors which said:

Client with address '127.0.0.1' is forbidden from making requests to application 'atlassian_confluence'

I went to the 'Remote Address' configuration tab and noticed that 127.0.0.1 was not listed as it was for the other applications (Stash & JIRA). Once I fixed this problem, SSO worked without issue.

0 vote

Hey Eric,

Are you able to log in using the Chrome's incognito mode(Ctrl+Shift+N)? Maybe the problem is on Chrome's cookies side.

As I can see, your Confluence's files are properly set.

If you are able to use SSO on the incognito mode, remove/clear all the Chrome's cookies.

Cheers,

0 vote

Hello Eric,

May I ask if your Crowd base-url is indeed set to localhost:8095 as the crowd.properties file you pasted is showing?

application.login.url http://localhost:8095/crowd/console/

crowd.server.url http://localhost:8095/crowd/services/
crowd.base.url http://localhost:8095/crowd/

If that's indeed the URL of your Crowd, can you also confirm that your Confluence is using this URL to hook up with Crowd?

Lastly, just bear in mind that once you enable the SSO, you'll no longer be able to log into Confluence using the internal administrator since the connector class will forward all authentication tests to Crowd.

 

Eduardo

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Posted Tuesday in Confluence

We want to see the templates you've created in Confluence!

Hi Community, Jessica here from the Confluence Product Marketing team!  July’s community challenge is all about sharing pictures  — and as an extension of our first post on what ...

384 views 17 9
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you