Use single sign-on (SS0) authentication for Atlassian Confluence

Enterprise Application Access (EAA) Cloud supports single sign-on (SSO) to Atlassian applications, such as Confluence, using custom headers insertion, which lets you access the Atlassian application through the EAA Cloud service without having to authenticate for a specific application again.

Before you begin

The Confluence application must be running and integrated into your Active Directory or OpenLDAP server.

You can use your Active Directory (AD) or OpenLDAP server to authenticate all the end users and have immediate access to applications secured through EAA Cloud. This integration sends the X-forwarded-for custom headers to an application for SSO.

How to

  1. Download the latest version of the HTTP Authenticator for Confluence.
  2. Copy the downloaded remoteUserAuth-2.5.0.jar file to the following location in your Confluence installation:
    • For Linux:/usr/local/confluence/confluence/WEB-INF/lib
    • For Windows: Users/C:/Program Files/confluence/confluence/WEB-INF/lib
    Note: The version number in this example is 2.5.0. You may have a different, later version number when you download the file.
  3. Download the remoteUserAuthenticator.properties text file from github confluence_http_authenticator.
  4. Move the remoteUserAuthenticator.properties file to your Confluence installation:
    • For Linux:/usr/local/confluence/confluence/WEB-INF/classes
    • For Windows: Users/C:/Program Files/confluence/confluence/WEB-INF/classes
  5. Edit the remoteUserAuthenticator.properties file with administrative privileges and change the following lines to send remote headers for SSO:
    • Change header.remote_user=REMOTE_USER to header.remote_user=user_name
    • Comment out the line #header.email=CONF_EMAIL
    • Comment out the line #header.fullname=CONF_FULLNAME
  6. Save the file.
    #semicolon-delimited list.
    #
    # Note: if fullname mapping is used (see below) then it will try
    using that first to get the full name using this header.
    
    #
    # Each supports a strategy to get this value. All default to 0.
    Strategy codes mean the following:
    # 0 - Try request.getAttribute then request.getHeader
    # 1 - Use request.getAttribute
    # 2 - Use request.getHeader
    header.remote_user=user_name
    #header.remote_user.strategy=0
    #header.email=CONF_EMAIL
    #header.email.strategy=0
    #header.fullname=CONF_FULLNAME
    #header.fullname.strategy=0
    #
  7. Edit the seraph-config.xml file at this location in your Confluence installation: /usr/local/confluence/confluence/WEB-INF/classes/seraph-config.xml and edit the following line:

    Replace <authenticator class="com.atlassian.confluence.user.ConfluenceAuthenticator"/> with:

    <authenticator class="shibauth.confluence.authentication.shibboleth.RemoteUserAuthenticator"/>

  8. Save the file and restart the EAA Confluence application.
  9. Configure the Enterprise Application Access (EAA) application.
    1. Click Settings on the Confluence application that you configured in EAA.
    2. Click ADVANCED SETTINGS at the top.
    3. Scroll to the Custom HTTP headers section.
    4. Enter user_name in the Header Name field and select user from the Attribute field.
    5. Click Save and go to Deployment.

Next steps

For the changes to go into effect, Deploy the application.