How to set sso in confluence ?

sunghwan lee January 28, 2013

We use confluence with crowd.
We were able to log in to confluence.

We set seraph-config.xml for sso function as follows. But when I set below, can't log in to confluence.
-------------------------------------------------------------------
Comment out the line:-
<!-- <authenticator class="com.atlassian.confluence.user.ConfluenceAuthenticator"/> -->

Uncomment the line:-
<authenticator class="com.atlassian.confluence.user.ConfluenceCrowdSSOAuthenticator"/>
-------------------------------------------------------------------

Contents of below are our setting contents for sso function.

What was wrong?

■crowd
real ip : 1.1.1.1:8095/crowd
gateway ip : 7.7.7.7/crowd
gateway ip's domain name : a.domain.net/crowd
apache-tomcat/conf/server.xml : proxyName="a.domain.net"
administrator - General - SSO Domain : a.domain.net

configure application with confluence
name : confluence
ip : a.domain.net/confluence
remote address : 2.2.2.2

■confluence
real ip : http://2.2.2.2/confluence
gateway ip : 7.7.7.7/confluence
gateway ip's domain name : a.domain.net/confluence

configure directory with crowd
server url = 1.1.1.1:8095/crowd
application name = confluence

■apache mod_proxy for confluence
#put this after the other LoadModule directives
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
1.Put this in the main section of your configuration (or desired virtual host, if using Apache virtual hosts)
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>

ProxyPass /confluence http://2.2.2.2:8090/confluence
ProxyPassReverse /confluence http://2.2.2.2:8090/confluence
<Location /confluence>
Order allow,deny
Allow from all
</Location>

■apache mod_proxy for crowd
#put this after the other LoadModule directives
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so

# Put this in the main section of your configuration (or desired virtual host, if using Apache virtual hosts)
ProxyRequests Off
ProxyPreserveHost On

<Proxy *>
Order deny,allow
Allow from all
</Proxy>

ProxyPass /crowd http://1.1.1.1:8095/crowd
ProxyPassReverse /crowd http://1.1.1.1:8095/crowd
<Location /crowd>
Order allow,deny
Allow from all
</Location>

■confluence - server.xml
<Server port="8000" shutdown="SHUTDOWN" debug="0">
<Service name="Tomcat-Standalone">
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8090" minProcessors="5"
maxProcessors="75"
enableLookups="false" redirectPort="8443" acceptCount="10" debug="0" connectionTimeout="20000"
useURIValidationHack="false" URIEncoding="UTF-8"/>
<Engine name="Standalone" defaultHost="localhost" debug="0">

<Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false">

<Context path="/confluence" docBase="../confluence" debug="0" reloadable="true">
<!-- Logger is deprecated in Tomcat 5.5. Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
<Manager pathname="" />
</Context>
</Host>

</Engine>

<!--
To run Confluence via HTTPS:

•Uncomment the Connector below
•Execute:
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows)
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix)
with a password value of "changeit" for both the certificate and the keystore itself.
•Restart and visit https://localhost:8443/
For more info, see http://confluence.atlassian.com/display/DOC/Adding+SSL+for+Secure+Logins+and+Page+Security
-->
<Connector port="8090" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"
proxyName="http://a.domain.net/" proxyPort="80"/>
</Service>
</Server>

■confluence - seraph-config.xml
<security-config>
<parameters>
<init-param>
<param-name>login.url</param-name>
<param-value>/login.action?os_destination=$

{originalurl}

</param-value>
</init-param>
<init-param>
<param-name>link.login.url</param-name>
<param-value>/login.action</param-value>
</init-param>
<init-param>
<param-name>cookie.encoding</param-name>
<param-value>cNf</param-value>
</init-param>
<init-param>
<param-name>login.cookie.key</param-name>
<param-value>seraph.confluence</param-value>
</init-param>

<!only basic authentication available>
<init-param>
<param-name>authentication.type</param-name>
<param-value>os_authType</param-value>
</init-param>

<!-- Invalidate session on login to prevent session fixation attack -->
<init-param>
<param-name>invalidate.session.on.login</param-name>
<param-value>true</param-value>
</init-param>
<!-- Add names for session attributes that must not be copied to a new session when the old one gets invalidated.
Currently it is empty (i.e. all attributes will be copied). -->
<init-param>
<param-name>invalidate.session.exclude.list</param-name>
<param-value></param-value>
</init-param>
</parameters>

<rolemapper class="com.atlassian.confluence.security.ConfluenceRoleMapper"/>
<controller class="com.atlassian.confluence.setup.seraph.ConfluenceSecurityController"/>

<!-- Default Confluence authenticator, which uses the configured user management for authentication. -->

<!-- Custom authenticators appear below. To enable one of them, comment out the default authenticator above and uncomment the one below. -->
<!-- Authenticator with support for Crowd single-sign on (SSO). -->
<authenticator class="com.atlassian.confluence.user.ConfluenceCrowdSSOAuthenticator"/>
<!-- Specialised version of the default authenticator which adds authenticated users to confluence-users if they aren't already a member. -->
<!-- <authenticator class="com.atlassian.confluence.user.ConfluenceGroupJoiningAuthenticator"/> -->

<services>
<service class="com.atlassian.seraph.service.PathService">
<init-param>
<param-name>config.file</param-name>
<param-value>seraph-paths.xml</param-value>
</init-param>
</service>
</services>

<elevatedsecurityguard class="com.atlassian.confluence.security.seraph.ConfluenceElevatedSecurityGuard"/>

</security-config>

■confluence - crowd.properties

application.name confluence
application.password ****
application.login.url http://a.domain.net/crowd/console/

crowd.server.url http://a.domain.net/crowd/services/
crowd.base.url http://a.domain.net/crowd/

session.isauthenticated session.isauthenticated
session.tokenkey session.tokenkey
session.validationinterval 2
session.lastvalidation session.lastvalidation


2 answers

0 votes
LuizA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
February 4, 2013

Hello Sunghwann,

In a first approach I would suggest you to double-check the configuration of SSO with your Crowd version, maybe some detail about the configuration itself can be wrong (this happens), you can follow this documentation that explains how it works and how to configure:

https://confluence.atlassian.com/display/CROWD025/Single+Sign-On

If doesn't help I would suggest you to raise a support ticket at our support.atlassian.com and so we can take a better look at your environment in order to find a resolution/workaround for you.

I hope this helps.

Best Regards,

LJ.

0 votes
Sven Lecherbonnier January 28, 2013

Hi Sunghwann,

What is your CROWD / Confluence ?

Regards,

Sven.

sunghwan lee January 28, 2013

Hi Sven.

crowd = 2.5.2

confluence = 4.3.2

Regards,

Sunghwan.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events