Confluence Data Center

SAML Single Sign On is is tested with Confluence Data Center in the following environment.

Confluence-Nodes

The two Confluence-Nodes confluencedc01 and confluencedc02 are VMs running Debian 8 (Jessie) with Oracle Java version 1.8.0_66-b17.

The Confluence-version is 5.9.4, installed from the tgz-bundle.

The shared home-directory is shared using NFS.

server.xml is modified for the use behind a reverse proxy:

<Server port="8000" shutdown="SHUTDOWN" debug="0">
    <Service name="Tomcat-Standalone">
		<!-- proxyName, proxyPort and scheme must be configured -->
        <Connector port="8090" connectionTimeout="20000" redirectPort="8443"
               	proxyName="confluencedc59.lab.inserve.local" 
                proxyPort="443" 
				scheme="https"
        		
				maxThreads="200" minSpareThreads="10"
                enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
                protocol="org.apache.coyote.http11.Http11NioProtocol" />
        <Engine name="Standalone" defaultHost="localhost" debug="0">
            <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false">
                <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
                    <!-- Logger is deprecated in Tomcat 5.5. Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
                    <Manager pathname="" />
                </Context>
            </Host>
        </Engine>
    </Service>
</Server>

CODE

Confluence is started and stopped using this systemd-configuration under /etc/systemd/system/confluence594.service:

[Unit] 
Description=Confluence 5.9.4
After=network.target

[Service] 
Type=simple
User=confluence
PIDFile=/opt/atlassian-confluence-5.9.4/confluence/work/catalina.pid
ExecStart=/opt/atlassian-confluence-5.9.4/bin/start-confluence.sh -fg
ExecStop=/opt/atlassian-confluence-5.9.4/bin/stop-confluence.sh

[Install] 
WantedBy=multi-user.target

CODE

Database

PostgreSQL 9.4.3 is used as database running on host postgres01, a VM running Debian 8 (Jessie)

Load Balancer/Reverse Proxy

Apache 2.4.10 is used as reverse proxy/load balancer. It also runs on host postgres01. HTTPS is terminated on the reverse proxy.

This is the virtual host configuration:

<VirtualHost *:443>
    ProxyRequests off

	#
	# confluence59.lab.inserve.local is set up as CNAME to postgres01 in the DNS
	#	 
    ServerName confluencedc59.lab.inserve.local

	#
	# Set a routeID-header. This is important to get sticky sessions: All requests from a client must
	# be served by the same Confluence node. 
	# Without this header, WebSudo is not wirking and the SAMLSSO-Plugin caused redirection-loops between the Confluence nodes. 
	# 
	Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED

    <Proxy balancer://confluencecluster>
       BalancerMember http://confluencedc01.lab.inserve.local:8090 route=confluencedc01
       BalancerMember http://confluencedc02.lab.inserve.local:8090 route=confluencedc02
     
       # Security "we aren't blocking anyone but this the place to make those changes
       Order Deny,Allow
       Deny from none
       Allow from all
    </Proxy>

    # Here's how to enable the load balancer's management UI if desired
        <Location /balancer-manager>
                SetHandler balancer-manager
                # You SHOULD CHANGE THIS to only allow trusted ips to use the manager 
                Order deny,allow
                Allow from all
        </Location>

    # Don't reverse-proxy requests to the management UI
    ProxyPass /balancer-manager !
    # Reverse proxy all other requests to the Confluence cluster
    ProxyPass / balancer://confluencecluster/ stickysession=ROUTEID    
    ProxyPassReverse / balancer://confluencecluster
   	ProxyPreserveHost on

    SSLProxyEngine    On

    SSLEngine on
    SSLCertificateFile /etc/ssl/localcerts/star.lab.inserve.local.pem
        SSLCertificateKeyFile /etc/ssl/localcerts/star.lab.inserve.local.key 
        SSLCertificateChainFile /etc/ssl/localcerts/labca.pem 
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

CODE

Confluence-Nodes

Database

Load Balancer/Reverse Proxy

SAML Single Sign-On is available for Atlassian Server & Atlassian Data Center products. Our Jira Data Center, Confluence Data Center, Bitbucket Data Center, Jira Server, Confluence Server, Bitbucket Server and other apps are all available on the Atlassian Marketplace.

SAML Single Sign-On is available for Atlassian Server & Atlassian Data Center products.

Our Jira Data Center, Confluence Data Center, Bitbucket Data Center, Jira Server, Confluence Server, Bitbucket Server and other apps are all available on the Atlassian Marketplace.