SAML Single Sign On is is tested with Confluence Data Center in the following environment.

Confluence-Nodes

The two Confluence-Nodes confluencedc01 and confluencedc02 are VMs running Debian 8 (Jessie) with Oracle Java version 1.8.0_66-b17.

The Confluence-version is 5.9.4, installed from the tgz-bundle.

The shared home-directory is shared using NFS.

server.xml is modified for the use behind a reverse proxy:

<Server port="8000" shutdown="SHUTDOWN" debug="0">
    <Service name="Tomcat-Standalone">
		<!-- proxyName, proxyPort and scheme must be configured -->
        <Connector port="8090" connectionTimeout="20000" redirectPort="8443"
               	proxyName="confluencedc59.lab.inserve.local" 
                proxyPort="443" 
				scheme="https"
        		
				maxThreads="200" minSpareThreads="10"
                enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
                protocol="org.apache.coyote.http11.Http11NioProtocol" />
        <Engine name="Standalone" defaultHost="localhost" debug="0">
            <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false">
                <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
                    <!-- Logger is deprecated in Tomcat 5.5. Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
                    <Manager pathname="" />
                </Context>
            </Host>
        </Engine>
    </Service>
</Server>

Confluence is started and stopped using this systemd-configuration under /etc/systemd/system/confluence594.service:

[Unit] 
Description=Confluence 5.9.4
After=network.target

[Service] 
Type=simple
User=confluence
PIDFile=/opt/atlassian-confluence-5.9.4/confluence/work/catalina.pid
ExecStart=/opt/atlassian-confluence-5.9.4/bin/start-confluence.sh -fg
ExecStop=/opt/atlassian-confluence-5.9.4/bin/stop-confluence.sh

[Install] 
WantedBy=multi-user.target

Database

PostgreSQL 9.4.3 is used as database running on host postgres01, a VM running Debian 8 (Jessie)

Load Balancer/Reverse Proxy

Apache 2.4.10 is used as reverse proxy/load balancer. It also runs on host postgres01. HTTPS is terminated on the reverse proxy.

This is the virtual host configuration:

<VirtualHost *:443>
    ProxyRequests off

	#
	# confluence59.lab.inserve.local is set up as CNAME to postgres01 in the DNS
	#	 
    ServerName confluencedc59.lab.inserve.local

	#
	# Set a routeID-header. This is important to get sticky sessions: All requests from a client must
	# be served by the same Confluence node. 
	# Without this header, WebSudo is not wirking and the SAMLSSO-Plugin caused redirection-loops between the Confluence nodes. 
	# 
	Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED

    <Proxy balancer://confluencecluster>
       BalancerMember http://confluencedc01.lab.inserve.local:8090 route=confluencedc01
       BalancerMember http://confluencedc02.lab.inserve.local:8090 route=confluencedc02
     
       # Security "we aren't blocking anyone but this the place to make those changes
       Order Deny,Allow
       Deny from none
       Allow from all
    </Proxy>

    # Here's how to enable the load balancer's management UI if desired
        <Location /balancer-manager>
                SetHandler balancer-manager
                # You SHOULD CHANGE THIS to only allow trusted ips to use the manager 
                Order deny,allow
                Allow from all
        </Location>

    # Don't reverse-proxy requests to the management UI
    ProxyPass /balancer-manager !
    # Reverse proxy all other requests to the Confluence cluster
    ProxyPass / balancer://confluencecluster/ stickysession=ROUTEID    
    ProxyPassReverse / balancer://confluencecluster
   	ProxyPreserveHost on

    SSLProxyEngine    On

    SSLEngine on
    SSLCertificateFile /etc/ssl/localcerts/star.lab.inserve.local.pem
        SSLCertificateKeyFile /etc/ssl/localcerts/star.lab.inserve.local.key 
        SSLCertificateChainFile /etc/ssl/localcerts/labca.pem 
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>