SAML Single Sign-OnSAML Single Sign-On
Try For Free

Warning in Logs After SAML SSO Login with Confluence Data Center 9.x

Issue

After upgrading to Confluence Data Center 9.x and using the SAML Single Sign-On for Confluence plugin (v6.14.3), the following warning may appear in the log during every SAML SSO login:

  1. WARN [http-nio-8090-exec-13] [confluence.impl.webapp.ConfluenceHttpHeaderSecurityFilter]
  2. lambda$reviseHeaders$1 Security header "Content-Security-Policy" value was tampered for URL /plugins/servlet/samlsso...

Cause

As of Confluence version 9.0, the built-in security filter ConfluenceHttpHeaderSecurityFilter checks whether HTTP security headers such as Content-Security-Policy (CSP) have been modified.

If a plugin or servlet adjusts these headers — even for valid and necessary reasons — Confluence logs a warning.

The SAML SSO plugin modifies the CSP header specifically for the URL /plugins/servlet/samlsso to enable correct SSO functionality.

Reference Documentation:

Resolution / Recommendation

So far, this warning can be safely ignored as long as SAML SSO functions correctly. It is caused by a known and acceptable header modification by the plugin.

Optional: Reduce Log Verbosity

To prevent this warning from cluttering the log, you can reduce the logging level for the affected class:

Class: com.atlassian.confluence.impl.webapp.ConfluenceHttpHeaderSecurityFilter
Level: ERROR

Once this change is applied, the warning will no longer appear for each SAML SSO login.

Additional Notes

We are currently evaluating whether the plugin can suppress or handle this log entry programmatically in a future update.

Summary

So far, this warning does not require action unless SSO malfunctions. It may be ignored or silenced through logging configuration.