Issue with SAML integration: between Confluence and OAM

Hi Chris,

As per the documentation SAML is available in new version of DataCenters. We don't have to use any plugin.

Please correct me if I am wrong.

Thanks,

Prudhvi

Hi @prudhvi raj, 

you are correct & I see you added the data-center tags to this post; My Question originally came because it only had the confluence-server task.

Would you mind to share a bit more of what happens & where you get stuck (i.e. exact Error Page & message, i.e. screenshot & Logfiles)

You mentioned NTP in your initial post.

For SAML to work it's important that all clocks are synchronized between all DC nodes *and* the OAM. This is due to the fact that messages that the OAM creates are only valid for a certain timeframe - and if the DC node receives it out of that time window (or at least thinks so due to clock skew) - it will not work.

Also for the Atlassian SAML to work it is important that the NameID which the IdP (OAM here) sends exactly matches with the Username of the Confluence User.

May I ask how you synchronise the Users between OAM & Confluence DC? Still the LDAP from AD? Or are you adding the Users manually?

We do develop a SAML Plugin for Server & Data-Center - so one of the things you could consider to aid you in troubleshooting, is to try a setup via our plugin & see if that works. That Way you may get some of our troubleshooting information (authentication trackers) & see if your problem is more on the Atlassian side or on the OAM side.
That may help gather some more information that helps you in the Atlassian SAML Setup. The evaluation periods are free, so there is no cost associated. Here is a link to our plugin if you like: https://marketplace.atlassian.com/apps/1212129/saml-single-sign-on-sso-confluence?hosting=server&tab=overview

Cheers,
Christian  

Hi @Christian Reichert (resolution),

Sorry for the confusion created earlier. As I am currently working on PROD servers, I am afraid I cant use any plugin without approvals.

I confirm all the servers are in sync with NTP, but same error is registered multiple times.

We have synchronized the users from LDAP.

Below are the different errors listed in log file.

1. [onelogin.saml2.authn.SamlResponse] isValid Timing issues (please check your clock settings)

2. url: /plugins/servlet/samlconsumer | traceId: xxxxxxxx | userName: anonymous

3. doFilter Received invalid SAML response: Timing issues (please check your clock settings)

Thanks,

PrudhviRaj

Hi @prudhvi raj,

you may have to open a support case with Atlassian then. 

Number 1 & 3 indicates that this is a clock Issue - this may also just be msec differences between between Confluence & the IdP.

On our plugin I could at least talk you through troubleshooting & getting the appropriate logfies/authentication tracker. Here you to bring this to Atlassian's support.

Cheers,
Christian

Oh I forgot - No 2 "anonymous" - that looks normal. This looks like it's the plugin getting the SAML response. At that time the User is not authenticated yet, hence Anonymous is what you'd expect here.

Thanks for your help and information Sir!!

Issue is from OAM side. 

@prudhvi raj

So what was the specific issue on from the OAM side ? If you dont mind sharing ? :)

@prudhvi rajWhat was the Issue with the IDP? We experience the same problem, but not all the time just randomly...