SAML Single Sign On is is tested with Confluence Data Center in the following environment.


The two Confluence-Nodes confluencedc01 and confluencedc02 are VMs running Debian 8 (Jessie) with Oracle Java version 1.8.0_66-b17.

The Confluence-version is 5.9.4, installed from the tgz-bundle.

The shared home-directory is shared using NFS.

server.xml is modified for the use behind a reverse proxy:

<Server port="8000" shutdown="SHUTDOWN" debug="0">
    <Service name="Tomcat-Standalone">
		<!-- proxyName, proxyPort and scheme must be configured -->
        <Connector port="8090" connectionTimeout="20000" redirectPort="8443"
				maxThreads="200" minSpareThreads="10"
                enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
                protocol="org.apache.coyote.http11.Http11NioProtocol" />
        <Engine name="Standalone" defaultHost="localhost" debug="0">
            <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false">
                <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
                    <!-- Logger is deprecated in Tomcat 5.5. Logging configuration for Confluence is specified in confluence/WEB-INF/classes/ -->
                    <Manager pathname="" />

Confluence is started and stopped using this systemd-configuration under /etc/systemd/system/confluence594.service:

Description=Confluence 5.9.4

ExecStart=/opt/atlassian-confluence-5.9.4/bin/ -fg



PostgreSQL 9.4.3 is used as database running on host postgres01, a VM running Debian 8 (Jessie)

Load Balancer/Reverse Proxy

Apache 2.4.10 is used as reverse proxy/load balancer. It also runs on host postgres01. HTTPS is terminated on the reverse proxy.

This is the virtual host configuration:

<VirtualHost *:443>
    ProxyRequests off

	# confluence59.lab.inserve.local is set up as CNAME to postgres01 in the DNS
    ServerName confluencedc59.lab.inserve.local

	# Set a routeID-header. This is important to get sticky sessions: All requests from a client must
	# be served by the same Confluence node. 
	# Without this header, WebSudo is not wirking and the SAMLSSO-Plugin caused redirection-loops between the Confluence nodes. 

    <Proxy balancer://confluencecluster>
       BalancerMember http://confluencedc01.lab.inserve.local:8090 route=confluencedc01
       BalancerMember http://confluencedc02.lab.inserve.local:8090 route=confluencedc02
       # Security "we aren't blocking anyone but this the place to make those changes
       Order Deny,Allow
       Deny from none
       Allow from all

    # Here's how to enable the load balancer's management UI if desired
        <Location /balancer-manager>
                SetHandler balancer-manager
                # You SHOULD CHANGE THIS to only allow trusted ips to use the manager 
                Order deny,allow
                Allow from all

    # Don't reverse-proxy requests to the management UI
    ProxyPass /balancer-manager !
    # Reverse proxy all other requests to the Confluence cluster
    ProxyPass / balancer://confluencecluster/ stickysession=ROUTEID    
    ProxyPassReverse / balancer://confluencecluster
   	ProxyPreserveHost on

    SSLProxyEngine    On

    SSLEngine on
    SSLCertificateFile /etc/ssl/localcerts/star.lab.inserve.local.pem
        SSLCertificateKeyFile /etc/ssl/localcerts/star.lab.inserve.local.key 
        SSLCertificateChainFile /etc/ssl/localcerts/labca.pem 
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined