Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Self-managed confluence server and Okta SSO

Ben Freke
Ben Freke
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
April 16, 2019

Hello,

I'm trying to connect Okta to a self-managed Confluence server via SAML. 

I've followed the Okta Guide "How to Configure Confluence On-Premise SAML Application", and when I try to log in to Confluence I am re-directed to Okta SSO, but just-in-time user provisioning isn't working (i.e. it doesn't create the user) and I'm then directed back to the Confluence login screen. I've followed references from Enable user auto-provisioning and sync when SAML enabled e.g. the restricted domains function to no avail.

If I create a user with the same details, Confluence still won't work with Okta to sign that user in.

Does anyone have any ideas / documentation they can point me in the direction of? I've found lots but mostly for Atlassian Cloud which isn't very helpful in my situation. Another problematic piece of this is this site isn't and can't be public facing, so the Okta API which calls the Confluence server for user provisioning won't work here.

GitLab works great with JIT Provisioning and SAML! I'm sure Confluence must do. 

Thanks in advance.

Answer
Watch
Like Be the first to like this
2111 views

3 answers

Suggest an answer

Log in or Sign up to answer
0 votes
Ankit
Ankit
Atlassian Partner
April 17, 2019

Hi Ben,


As Okta's confluence connector doesn't provide just in time provisioning, the only way to create Okta's API. Additional issues in Okta's integration with confluence is that you have to create new files in Confluence(okta-config-confluence.xml) and change the existing Confluence files(seraph-config.xml) which requires a server restart.


I work for miniOrange and you can try our SSO solution for integrating Confluence Server with Okta: SAML SSO for Confluence. The app supports new user creation by default. It doesn't require any changes in Confluence files and no server restart is required. You can configure it seamlessly in few minutes by uploading Okta's metadata file.


Here's a link to the step by step guide you can use for complete SSO setup: SSO into Confluence using Okta as IDP. If you need any assistance with the setup, we can schedule a quick call with you to get the SSO working.

Thanks,
Ankit Ahuja

Reply
0 votes
Christian Reichert (resolution)
Christian Reichert (resolution)
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 16, 2019

Hi Ben,

if you can't use the OKTA API and have to use just in time Provisioning, then you need to look at a 3rd party App like ours.

While we can also use the API from OKTA to synchronize Users, we can also do that via attributes in the SAML message.

Here is our YouTube Tutorial that shows this setup: https://youtu.be/8VP-KF4m30M

As well as our Step-by-Step Guide: https://wiki.resolution.de/doc/saml-sso/latest/all/setup-guides-for-saml-sso/okta/okta-with-just-in-time-provisioning

To my knowledge the okta-jar file you are currently using does not support User creation without API & Atlassian's Data-Center SAML Implementation has no provisioning features at all.

You've certainly got more choice in the marketplace than just our app - this search should give you a comprehensive list: https://marketplace.atlassian.com/search?query=saml

Cheers,
    Christian

Full disclosure: I work for resolution GmbH, a Top Gold Marketplace Vendor

Reply
0 votes
Jon Espen Ingvaldsen Kantega SSO
Jon Espen Ingvaldsen Kantega SSO
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 16, 2019

Does the integration work for pre-existing users?

Make sure that Okta is setup to send user attributes as part of the SAML response. It can be that the users are not created because Atlassian Access does not have the necessary data to construct user records.

When you create a new SAML application in your Okta you find a section called Attribute statements. Have you filled out these fields?

I work for Kantega SSO, one of the marketplace vendors with on-prem SSO apps. Allthough there might be deviations from how to integrate with Atlassian Access, you can use our setup guides (describing Attribute statements) as inspiration: https://docs.kantega.no/display/KA/Okta


Hope you find a solution here.
Jon Espen
Kantega SSO


Reply
groups-icon
Data Center
TAGS
AUG Leaders

Atlassian Community Events

    See all events