Important Update Effective February 1, 2024!
Due to recent changes in Jira and Confluence, we've made the tough decision to discontinue the OpenID Connect (OIDC)/OAuth app and no longer provide new versions for the newest Jira/Confluence releases as of January 31, 2024.
This is due to some necessary components no longer shipping with Jira/Confluence, which would require some extensive rewrites of the OIDC App.
Important Update! This app will be discontinued soon!
Due to recent changes in Jira, which no longer ships with some components required for our Read Receipts app to run, we've made the tough decision to discontinue the app, as of Februar 5, 2025.
Important Update! This app will be discontinued soon!
We've made the tough business decision to discontinue the app, as of January 11, 2025.
Confluence Data Center
SAML Single Sign On is is tested with Confluence Data Center in the following environment.
Confluence-Nodes
The two Confluence-Nodes confluencedc01 and confluencedc02 are VMs running Debian 8 (Jessie) with Oracle Java version 1.8.0_66-b17.
The Confluence-version is 5.9.4, installed from the tgz-bundle.
The shared home-directory is shared using NFS.
server.xml is modified for the use behind a reverse proxy:
<Server port="8000" shutdown="SHUTDOWN" debug="0">
<Service name="Tomcat-Standalone">
<!-- proxyName, proxyPort and scheme must be configured -->
<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
proxyName="confluencedc59.lab.inserve.local"
proxyPort="443"
scheme="https"
maxThreads="200" minSpareThreads="10"
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol" />
<Engine name="Standalone" defaultHost="localhost" debug="0">
<Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false">
<Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
<!-- Logger is deprecated in Tomcat 5.5. Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
<Manager pathname="" />
</Context>
</Host>
</Engine>
</Service>
</Server>Confluence is started and stopped using this systemd-configuration under /etc/systemd/system/confluence594.service:
[Unit]
Description=Confluence 5.9.4
After=network.target
[Service]
Type=simple
User=confluence
PIDFile=/opt/atlassian-confluence-5.9.4/confluence/work/catalina.pid
ExecStart=/opt/atlassian-confluence-5.9.4/bin/start-confluence.sh -fg
ExecStop=/opt/atlassian-confluence-5.9.4/bin/stop-confluence.sh
[Install]
WantedBy=multi-user.targetDatabase
PostgreSQL 9.4.3 is used as database running on host postgres01, a VM running Debian 8 (Jessie)
Load Balancer/Reverse Proxy
Apache 2.4.10 is used as reverse proxy/load balancer. It also runs on host postgres01. HTTPS is terminated on the reverse proxy.
This is the virtual host configuration:
<VirtualHost *:443>
ProxyRequests off
#
# confluence59.lab.inserve.local is set up as CNAME to postgres01 in the DNS
#
ServerName confluencedc59.lab.inserve.local
#
# Set a routeID-header. This is important to get sticky sessions: All requests from a client must
# be served by the same Confluence node.
# Without this header, WebSudo is not wirking and the SAMLSSO-Plugin caused redirection-loops between the Confluence nodes.
#
Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED
<Proxy balancer://confluencecluster>
BalancerMember http://confluencedc01.lab.inserve.local:8090 route=confluencedc01
BalancerMember http://confluencedc02.lab.inserve.local:8090 route=confluencedc02
# Security "we aren't blocking anyone but this the place to make those changes
Order Deny,Allow
Deny from none
Allow from all
</Proxy>
# Here's how to enable the load balancer's management UI if desired
<Location /balancer-manager>
SetHandler balancer-manager
# You SHOULD CHANGE THIS to only allow trusted ips to use the manager
Order deny,allow
Allow from all
</Location>
# Don't reverse-proxy requests to the management UI
ProxyPass /balancer-manager !
# Reverse proxy all other requests to the Confluence cluster
ProxyPass / balancer://confluencecluster/ stickysession=ROUTEID
ProxyPassReverse / balancer://confluencecluster
ProxyPreserveHost on
SSLProxyEngine On
SSLEngine on
SSLCertificateFile /etc/ssl/localcerts/star.lab.inserve.local.pem
SSLCertificateKeyFile /etc/ssl/localcerts/star.lab.inserve.local.key
SSLCertificateChainFile /etc/ssl/localcerts/labca.pem
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>