Confluence Shibboleth Authenticator

Dear experts,

we will implement a SSO between Active Directory and Confluence.

I found a set of plugins and tools:
- SSO Authenticators AppFusions (via kerberos)
- Waffle NTLM Filter
- Shibboleth

First I try the waffle NTLM filter which is only running in windows environment.
The filter sets the remote_user in http header, I write my own authenticator. The authenticator is running and i can now login via sso. But I found a set of problems. e.g. Press on Logout link always do a login again ... etc.

Therefore I tried shibboleth. I do all steps which are descriped here:https://studio.plugins.atlassian.com/wiki/display/SHBL/How+to+Shibbolize+Confluence

But always when I login, i get an Page Not found message!

My first question is:

In seraph-config.xml I defined the following parameters:
<init-param>
<param-name>login.url</param-name>
<param-value>http://wikiq.endress.com/Shibboleth.sso/Login?target=${originalurl}</param-value>
</init-param>

But I dont know how confluence can handle Shibboleth.sso, in my point of view I have to define this url anywhere!

Is it lika a servlet?

Can anybody tell me, how I can define a wiki.bla.bla/XYZ placeholder? For my waffle implemtation scenario it would be useful two, that I can implement different rules!

Best regards,

Timo

5 answers

If you need to integrate Confluence with Active Directory so it does SSO on any platform - we have it.

http://techtime.co.nz/x/AwCxAg

The NTLM Authenticator is delivered as a jar file and instructions how to deploy it to Atlassian Jira and/or Confluence to work in conjunction with IOPlex Jespa library to perform NLTM authentication in Windows environment.

The cost is one-off NZ$150 (plus fees for Jespa license payable to IOPlex).

TechTime NTLMv2/NTLMv1 authenticator supports Confluence 4.x as well as Jira 4.x. The authenticator works in Crowd environment as well as without Crowd.

We are always open to requests if some killer feature is missing.

Further question:

Is shibboleth only running with an IIS or Apache in front?

Timo,

In response to your "Press on Logout link always do a login again ... etc." issue, you can modify Confluence to use a different URL to logout that is not "guarded" by the authenticator. Ask that question separately as "how do I modify the logout URL in Confluence?" and search for related documentation. That has nothing to do with the Confluence Shibboleth Authenticator.

Shibboleth is an SSO solution that involves centralized IdP server(s) on different server(s) and a SP that runs on the server that is hosting the service to guard. If you aren't using Shibboleth for SSO, then all of the documentation in the Confluence Shibboleth Authenticator wiki will not make sense, and won't apply to you. If you were using Shibboleth, then you need to ask questions about its setup on the Shibboleth mailing list and look at its wiki, but it sounds like that wouldn't help.

To answer your last question, even though this won't help in getting you where you want to go, Shibboleth SP handles incoming requests first and assuming you authenticate via the Shibboleth IdP can pass off to Apache or Tomcat or whatever it is guarding. In our scenario, we have Shibboleth, then Apache, then Tomcat serving Confluence. But, Shibboleth could just as easily guard Tomcat directly if configured to do so. Again, if that were the concern, you'd ask on the Shibboleth mailing list and review their documentation.

But, your main question I think is "How do I setup an SSO such that Confluence can use Active Directory for authentication?" You should probably ask that question separately on answers.atlassian.com, but I think the answer would be the Confluence NTLM Authenticator, however you may need to vote here and add a comment to request to use WAFFLE to support NTLMv2/Kerberos (if that feature is not complete yet), or perhaps you could hire an Atlassian Partner or another senior Java developer to assist you in either adding this feature to this plugin, or forking the plugin and adding support for WAFFLE yourselves: https://studio.plugins.atlassian.com/browse/NTLM-48

However, if you were to need an authenticator that authenticates based on HTTP headers that pass in the username, email address, and display name, and that can use regexp matching and substitution on incoming HTTP headers to add users to groups, then the Confluence Shibboleth Authenticator can be used for that. Saying it is only for Shibboleth is actually wrong, at least up to this point in its development. Even Chad LaJoie that wrote the original version called it the remoteUserAuthenticator; Elliot Kendall added support for non-REMOTE_USER header for username, so now it should be called "HTTP Header Authenticator", I guess. :) I'm glad that you considered it in this case, however most of the documentation is related Shibboleth, and if you frame your questions in the context of "How do I get the Confluence Shibboleth Authenticator to work with Active Directory and not Shibboleth?" then most people will just ignore your question. Hope this helps.

Gary

Well a few comments -and lots of opinions.

One more for the pot!

If you believe Wikipedia (http://en.wikipedia.org/wiki/NTLM) that Microsoft doesn't even recommend NTLM anymore, and alot of cries from the field on NTLM pains.

... well that's all. Its your call.

This doc sorts out the different options at a more literal level, and it is OUR opinion that Kerberos is the right choice:

https://www.appfusions.com/display/KBRSCJ/NTLM+v1+or+v2+or+Kerberos

AppFusions has been deploying Kerberos authenticators with Confluence, JIRA, Crowd, and Fisheye with much success for a few months now. And happy to provide you with referrals to our customers.

We tried giving our Authenticator away in the beginning (and just provide support), but NO ONE could figure out the configs by themselves without endless free-only support questions to us, which was worse. We have a day job that pays us, and honestly this should too if we get you on your way happily, swiftly.

The questions were not b/c it was bad or didn't work; it was b/c a) its complicated, and b) there are many variables in the network with IIS, browser and OS deltas, forms, multiple AD directories, mobile users, etc...

So, now we offer a very reasonable "authenticator + service included deployment" and have had 100% success since.

Happy to help you - info@appfusions.com

Best,

Ellen

p.s.

imho: This is not an advertisement per se -

This area is just a serious pain pt, and customers can kill weeks trying to figure it out, or learn alongside us doing it for you; we share our knowledge with all customers in all our services, just as or team does on Answers.atlassian.com.

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Posted Tuesday in Uncategorized

Friday fun: how many celebrates Midsummer holiday or is this a Swedish tradition only?

Any other country that celebrates Midsummer holiday (this friday 22 June)?  

44 views 3 1
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you