Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

  • Global
  • Personal

Recognition

  • Give kudos
  • Received
  • Given

Leaderboard

  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Issue with SAML integration: between Confluence and OAM

We have tried configuring SAML for Confluence with OAM. Before SAML we have configured LDAP with AD. 

We are unable to access the Confluence page while accessing it from SSO page it is throwing error page.

When we enabled debug level logging. We have observed two errors.

1. Check the clock setting, but all the servers are in sync with NTP servers. But still the same error is replicating in logs

2. When we tried accessing with particular userid, in the logs it is replicating as anonymous rather than userid.

Please help us out with this issue.

 

Thanks,

Prudhvi

2 answers

Hi,

in oder to do SAML in Server you need to use a 3rd Party Plugin. Could you please let us know which one you are using. This is important if we try to help you.

cheers, 

chris

Hi Chris,

As per the documentation SAML is available in new version of DataCenters. We don't have to use any plugin.

Please correct me if I am wrong.

Thanks,

Prudhvi

Hi @prudhvi raj

you are correct & I see you added the data-center tags to this post; My Question originally came because it only had the confluence-server task.

Would you mind to share a bit more of what happens & where you get stuck (i.e. exact Error Page & message, i.e. screenshot & Logfiles)

You mentioned NTP in your initial post.

For SAML to work it's important that all clocks are synchronized between all DC nodes *and* the OAM. This is due to the fact that messages that the OAM creates are only valid for a certain timeframe - and if the DC node receives it out of that time window (or at least thinks so due to clock skew) - it will not work.

Also for the Atlassian SAML to work it is important that the NameID which the IdP (OAM here) sends exactly matches with the Username of the Confluence User.

May I ask how you synchronise the Users between OAM & Confluence DC? Still the LDAP from AD? Or are you adding the Users manually?

We do develop a SAML Plugin for Server & Data-Center - so one of the things you could consider to aid you in troubleshooting, is to try a setup via our plugin & see if that works. That Way you may get some of our troubleshooting information (authentication trackers) & see if your problem is more on the Atlassian side or on the OAM side.
That may help gather some more information that helps you in the Atlassian SAML Setup. The evaluation periods are free, so there is no cost associated. Here is a link to our plugin if you like: https://marketplace.atlassian.com/apps/1212129/saml-single-sign-on-sso-confluence?hosting=server&tab=overview


Cheers,
Christian  

Hi @Christian Reichert _resolution_,

Sorry for the confusion created earlier. As I am currently working on PROD servers, I am afraid I cant use any plugin without approvals.

I confirm all the servers are in sync with NTP, but same error is registered multiple times.

We have synchronized the users from LDAP.

Below are the different errors listed in log file.

1. [onelogin.saml2.authn.SamlResponse] isValid Timing issues (please check your clock settings)

2. url: /plugins/servlet/samlconsumer | traceId: xxxxxxxx | userName: anonymous

3. doFilter Received invalid SAML response: Timing issues (please check your clock settings)

Thanks,

PrudhviRaj

Hi @prudhvi raj,

you may have to open a support case with Atlassian then. 

Number 1 & 3 indicates that this is a clock Issue - this may also just be msec differences between between Confluence & the IdP.

On our plugin I could at least talk you through troubleshooting & getting the appropriate logfies/authentication tracker. Here you to bring this to Atlassian's support.


Cheers,
Christian

Oh I forgot - No 2 "anonymous" - that looks normal. This looks like it's the plugin getting the SAML response. At that time the User is not authenticated yet, hence Anonymous is what you'd expect here.

Thanks for your help and information Sir!!

Issue is from OAM side. 

@prudhvi raj

So what was the specific issue on from the OAM side ? If you dont mind sharing ? :)

@prudhvi rajWhat was the Issue with the IDP? We experience the same problem, but not all the time just randomly...

We fixed this problem by running the following on the IDP side (ADFS)

Set-ADFSRelyingPartyTrust -TargetIdentifier "<replying party identifier>" -NotBeforeSkew 5

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Posted in Confluence

What do you think is the most *delightful* Confluence feature? Comment for a prize!

- Create your own custom emoji 🔥 - "Shake for Feedback" on mobile 📱 - An endless supply of GIFs via GIPHY 🤩 Is there anything quite as nice as a pleasant surprise? Comment below with what...

408 views 23 8
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you