It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Issue with SAML integration: between Confluence and OAM

We have tried configuring SAML for Confluence with OAM. Before SAML we have configured LDAP with AD. 

We are unable to access the Confluence page while accessing it from SSO page it is throwing error page.

When we enabled debug level logging. We have observed two errors.

1. Check the clock setting, but all the servers are in sync with NTP servers. But still the same error is replicating in logs

2. When we tried accessing with particular userid, in the logs it is replicating as anonymous rather than userid.

Please help us out with this issue.

 

Thanks,

Prudhvi

2 answers

Hi,

in oder to do SAML in Server you need to use a 3rd Party Plugin. Could you please let us know which one you are using. This is important if we try to help you.

cheers, 

chris

Hi Chris,

As per the documentation SAML is available in new version of DataCenters. We don't have to use any plugin.

Please correct me if I am wrong.

Thanks,

Prudhvi

Hi @prudhvi raj

you are correct & I see you added the data-center tags to this post; My Question originally came because it only had the confluence-server task.

Would you mind to share a bit more of what happens & where you get stuck (i.e. exact Error Page & message, i.e. screenshot & Logfiles)

You mentioned NTP in your initial post.

For SAML to work it's important that all clocks are synchronized between all DC nodes *and* the OAM. This is due to the fact that messages that the OAM creates are only valid for a certain timeframe - and if the DC node receives it out of that time window (or at least thinks so due to clock skew) - it will not work.

Also for the Atlassian SAML to work it is important that the NameID which the IdP (OAM here) sends exactly matches with the Username of the Confluence User.

May I ask how you synchronise the Users between OAM & Confluence DC? Still the LDAP from AD? Or are you adding the Users manually?

We do develop a SAML Plugin for Server & Data-Center - so one of the things you could consider to aid you in troubleshooting, is to try a setup via our plugin & see if that works. That Way you may get some of our troubleshooting information (authentication trackers) & see if your problem is more on the Atlassian side or on the OAM side.
That may help gather some more information that helps you in the Atlassian SAML Setup. The evaluation periods are free, so there is no cost associated. Here is a link to our plugin if you like: https://marketplace.atlassian.com/apps/1212129/saml-single-sign-on-sso-confluence?hosting=server&tab=overview


Cheers,
Christian  

Hi @Christian_Reichert__resolution_,

Sorry for the confusion created earlier. As I am currently working on PROD servers, I am afraid I cant use any plugin without approvals.

I confirm all the servers are in sync with NTP, but same error is registered multiple times.

We have synchronized the users from LDAP.

Below are the different errors listed in log file.

1. [onelogin.saml2.authn.SamlResponse] isValid Timing issues (please check your clock settings)

2. url: /plugins/servlet/samlconsumer | traceId: xxxxxxxx | userName: anonymous

3. doFilter Received invalid SAML response: Timing issues (please check your clock settings)

Thanks,

PrudhviRaj

Hi @prudhvi raj,

you may have to open a support case with Atlassian then. 

Number 1 & 3 indicates that this is a clock Issue - this may also just be msec differences between between Confluence & the IdP.

On our plugin I could at least talk you through troubleshooting & getting the appropriate logfies/authentication tracker. Here you to bring this to Atlassian's support.


Cheers,
Christian

Oh I forgot - No 2 "anonymous" - that looks normal. This looks like it's the plugin getting the SAML response. At that time the User is not authenticated yet, hence Anonymous is what you'd expect here.

Thanks for your help and information Sir!!

Issue is from OAM side. 

@prudhvi raj

So what was the specific issue on from the OAM side ? If you dont mind sharing ? :)

@prudhvi rajWhat was the Issue with the IDP? We experience the same problem, but not all the time just randomly...

We fixed this problem by running the following on the IDP side (ADFS)

Set-ADFSRelyingPartyTrust -TargetIdentifier "<replying party identifier>" -NotBeforeSkew 5

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Posted in Confluence

How is your team having fun and bonding, remotely, utilizing Confluence?

Thanks everyone for answering last week’s question. The winner of the random drawing from those who commented is: @LarryBrock I’ll contact you separately with your prize details. This wee...

327 views 9 7
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you