It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

connecting conflunce to AZure for Single sign on -SSO- ?

Hello,

I have confluence on-prem installation, I have two user storage types the first is confluence internal storage for group 'A' and the second is On-prem active directory for group 'B'.

I wanted to connect those from group 'B' who uses the on-prem active directory for authentication to start using SSO and authenticating against Azure active directory. Azure sends the email as a user ID but the user Id in the on-prem active directory is different  -something like user1,user500 and so on-, what should I do if want to get this done and connect my confluence group 'B' users to use Azure as an identity provider with their emails rather than the 'user1,user500' ID?

Note that when connecting confluence to azure and try to log in it says "User is not available in Confluence. Please contact your Confluence admin."


my second question is, when connecting confluence to my Azure AD then what is normal to do is disconnecting confluence from the on-prem active directory as there is no need for it, is that right?  and this should not make problems?

Regards.

1 answer

If you want to retain the ability to authenticate with password against your internal AD directory and/or your server is not actually moving to the cloud i.e. the connection to the on-prem AD could remain, you can just change the username attribute in your on-prem user directory schema setting to load "mail" rather than sAMAccountName (or more correctly userPrincipalName, assuming all users in your AD have it).

Confluence AD integration should handle this as a mass rename of users. Do test it first! And make backups! Immediately after the sync your users should be able to login with the email and AD password.

Azure-AD (if it has it for the user!), can easily send sAMAccountName as the user attribute. If Azure-AD is created as sync from your local AD - it will have it (look for onPremisesSamAccountName?). However if you have any users in your Azure-AD that are not coming from your on-prem AD, indeed using email or more correctly userPrincipalName is better.

If your server is in fact getting disconnected from your on-prem AD, or your on-prem user directory is not of delegating authentication type but "Connector" i.e. one that synchronises with AD regularly you need to move (or rather, copy) your users out first, probably to the Internal Directory. You can use Bulk User Actions from our UserManagement for Confluence, even if on evaluation license for a one off migration (do consider leaving a review on Marketplace, please!)

To rename the users in bulk (unfortunately we don't yet support this in UserManagement) you can also write a script and run it with Adaptavist ScriptRunner. Feel free to reach to our support via our website (email is at the bottom, so is a web chat) - if you want a sample script shared.

Out of curiosity, what SAML SSO app are you using to connect your Confluence to Azure-AD? For full disclosure, we are the makers of EasySSO for Confluence, the SSO app that gives you 5 different authenticators, including SAML.

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Posted in Confluence

Lessons and Learnings: Six Months of Working Remote [Discussion]

Hey there, folks! For most of us, the past six months- yes, you read that right- have been a journey. More people than ever before have pivoted to working remotely, and navigating being on-scre...

4,118 views 4 6
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you