This page describes the redirecting process of the SAML Single Sign On for Data Center plugin on a Confluence example page.

To follow and reproduce this points, please activate the redirection for your plugin and enable detailed logging for the plugin : Troubleshooting

1 ) Forced redirection to the SAML Single Sign On Servlet

A not authenticated user accesses a Confluence Data Center internal page :

The user will be catched from the plugin and redirected to the SAML Single Sign On Servlet. The original destination page is attached as redirectTo Parameter to the URL :

Debug Log:

DEBUG [http-nio-8443-exec-16] [atlasplugins.samlsso.servlet.RedirectToSsoFilter] doFilter Redirecting to
DEBUG [http-nio-8443-exec-1] [atlasplugins.samlsso.servlet.SamlSsoServlet] processRequestFromClient Original url is /pages/viewpage.action?spaceKey=TEST&title=TESTPAGE

2 ) Redirection to the Identity Provider

The SAML SSO for Atlassian Data Center plugin creates the SAML Request and redirects the user to the Identity Provider.

The destination URL consists of the IdP POST Binding URL + SAMLRequest + RelayState :

Debug Log:

DEBUG [http-nio-8443-exec-1] [atlasplugins.samlsso.servlet.SamlSsoServlet] processRequestFromClient Redirecting to:

3 ) Redirection back to the SAML Single Sign On Servlet

The Identity Provider redirects the users back to the SAML Single Sign On Servlet:

The SAMLResponse from the Identity Provider contains the RelayState Parameter, which you can check in the Debug Log:

DEBUG [http-nio-8443-exec-6] [atlasplugins.samlsso.servlet.SamlSsoServlet] processRequestFromIdP RelayState parameter is /pages/viewpage.action?spaceKey=TEST&title=TESTPAGE

4 ) Redirection to the original destination page

After the user authentication in Confluence, the plugin is now using the RelayState, to redirect the user correctly to the original destination page:

Debug Log:

DEBUG [http-nio-8443-exec-6] [atlasplugins.samlsso.servlet.SamlSsoServlet] processRequestFromIdP Redirecting to