SSO Confluence Authenticator does not add users to Internal Directory

I am having an SSO issue which is basically the same as below, but with Confluence.


Previously, we have been using the Internal Confluence Directory autenticated via LDAP.

Addition of a custom SSO authenticator (written by a 3rd party) has been successful in a test environment, but only for users who already had a confluence account. Users who did not previously have an account are not added to {noformat}cwd_user{noformat}, nor are any default groups added to the internal directory.

I'm unwilling to hand over all control of users and groups to an external SSO provider since that would limit the use of user-groups within individual spaces. Ideally I'd like a way to use the default confluence authenticator if the user has not previously logged on via LDAP and otherwise use the SSO authenticator.

Does anyone have any suggestions on this?

1 answer

Did you set a external user directory (LDAP) which contains the users which should authenticate? I think you will need to set the external directory in Confluence (and synchronize them) to be able to authenticate user from that directory using SSO.

Yes, the external user directory (AD) is set for use in authentication only, but the internal directory is used to determine whether a user exists and what group they belong to.

ie. The default confluence authenticator allows you to configure a combined user/group management solution in which Confluence Manages users and groups and AD (the external directory) is used for authentication only.

Internal with External Authentication vs Full External user/group managemen

Because this is a 3rd party SSO provider, I'm currently unsure whether their system is most appropriate for both group/user management as well as authentication and so was hoping to use the existing Internal Directory with the SSO service for authentication only until this is determined. The SSO provider and the Confluence Internal Directory both authenticate against AD.

I am also unsure how this will work in terms of making sure that new users are automatically added to the appropriate default user group in the SSO provider after beginning use of confluence for the first time and how easy it will be to migrate existing groups to the SSO service synced with AD while maintaining user/group memberships other user/group metadata from the existing Confluence Internal Directory.


* Is it possible to configure an SSO provider to only authenticate against AD while still copying users to the internal confluence directory and placing them in the appropriate default user group?

* If the above is not the best solution, what are the steps in migrating existing internal user metadata (groups etc) from the Internal Directory with LDAP Authentication to a new confluence User Directory?

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Mar 12, 2019 in Confluence

Confluence Admin Certification now $150 for Community Members

More and more people are building their careers with Atlassian, and we want you to be at the front of this wave! Important Dates Start the Certification Prep Course by 2 April 2019 Take your e...

1,208 views 2 13
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you