We have tried configuring SAML for Confluence with OAM. Before SAML we have configured LDAP with AD.
We are unable to access the Confluence page while accessing it from SSO page it is throwing error page.
When we enabled debug level logging. We have observed two errors.
1. Check the clock setting, but all the servers are in sync with NTP servers. But still the same error is replicating in logs
2. When we tried accessing with particular userid, in the logs it is replicating as anonymous rather than userid.
Please help us out with this issue.
Hi @prudhvi raj,
you are correct & I see you added the data-center tags to this post; My Question originally came because it only had the confluence-server task.
Would you mind to share a bit more of what happens & where you get stuck (i.e. exact Error Page & message, i.e. screenshot & Logfiles)
You mentioned NTP in your initial post.
For SAML to work it's important that all clocks are synchronized between all DC nodes *and* the OAM. This is due to the fact that messages that the OAM creates are only valid for a certain timeframe - and if the DC node receives it out of that time window (or at least thinks so due to clock skew) - it will not work.
Also for the Atlassian SAML to work it is important that the NameID which the IdP (OAM here) sends exactly matches with the Username of the Confluence User.
May I ask how you synchronise the Users between OAM & Confluence DC? Still the LDAP from AD? Or are you adding the Users manually?
We do develop a SAML Plugin for Server & Data-Center - so one of the things you could consider to aid you in troubleshooting, is to try a setup via our plugin & see if that works. That Way you may get some of our troubleshooting information (authentication trackers) & see if your problem is more on the Atlassian side or on the OAM side.
That may help gather some more information that helps you in the Atlassian SAML Setup. The evaluation periods are free, so there is no cost associated. Here is a link to our plugin if you like: https://marketplace.atlassian.com/apps/1212129/saml-single-sign-on-sso-confluence?hosting=server&tab=overview
Sorry for the confusion created earlier. As I am currently working on PROD servers, I am afraid I cant use any plugin without approvals.
I confirm all the servers are in sync with NTP, but same error is registered multiple times.
We have synchronized the users from LDAP.
Below are the different errors listed in log file.
1. [onelogin.saml2.authn.SamlResponse] isValid Timing issues (please check your clock settings)
2. url: /plugins/servlet/samlconsumer | traceId: xxxxxxxx | userName: anonymous
3. doFilter Received invalid SAML response: Timing issues (please check your clock settings)
Hi @prudhvi raj,
you may have to open a support case with Atlassian then.
Number 1 & 3 indicates that this is a clock Issue - this may also just be msec differences between between Confluence & the IdP.
On our plugin I could at least talk you through troubleshooting & getting the appropriate logfies/authentication tracker. Here you to bring this to Atlassian's support.
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event