Confluence Data Center
SAML Single Sign On is is tested with Confluence Data Center in the following environment.
Confluence-Nodes
The two Confluence-Nodes confluencedc01 and confluencedc02 are VMs running Debian 8 (Jessie) with Oracle Java version 1.8.0_66-b17.
The Confluence-version is 5.9.4, installed from the tgz-bundle.
The shared home-directory is shared using NFS.
server.xml is modified for the use behind a reverse proxy:
- <Server port="8000" shutdown="SHUTDOWN" debug="0">
- <Service name="Tomcat-Standalone">
- <!-- proxyName, proxyPort and scheme must be configured -->
- <Connector port="8090" connectionTimeout="20000" redirectPort="8443"
- proxyName="confluencedc59.lab.inserve.local"
- proxyPort="443"
- scheme="https"
- maxThreads="200" minSpareThreads="10"
- enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
- protocol="org.apache.coyote.http11.Http11NioProtocol" />
- <Engine name="Standalone" defaultHost="localhost" debug="0">
- <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false">
- <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
- <!-- Logger is deprecated in Tomcat 5.5. Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
- <Manager pathname="" />
- </Context>
- </Host>
- </Engine>
- </Service>
- </Server>
Confluence is started and stopped using this systemd-configuration under /etc/systemd/system/confluence594.service:
- [Unit]
- Description=Confluence 5.9.4
- After=network.target
- [Service]
- Type=simple
- User=confluence
- PIDFile=/opt/atlassian-confluence-5.9.4/confluence/work/catalina.pid
- ExecStart=/opt/atlassian-confluence-5.9.4/bin/start-confluence.sh -fg
- ExecStop=/opt/atlassian-confluence-5.9.4/bin/stop-confluence.sh
- [Install]
- WantedBy=multi-user.target
Database
PostgreSQL 9.4.3 is used as database running on host postgres01, a VM running Debian 8 (Jessie)
Load Balancer/Reverse Proxy
Apache 2.4.10 is used as reverse proxy/load balancer. It also runs on host postgres01. HTTPS is terminated on the reverse proxy.
This is the virtual host configuration:
- <VirtualHost *:443>
- ProxyRequests off
- #
- # confluence59.lab.inserve.local is set up as CNAME to postgres01 in the DNS
- #
- ServerName confluencedc59.lab.inserve.local
- #
- # Set a routeID-header. This is important to get sticky sessions: All requests from a client must
- # be served by the same Confluence node.
- # Without this header, WebSudo is not wirking and the SAMLSSO-Plugin caused redirection-loops between the Confluence nodes.
- #
- Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED
- <Proxy balancer://confluencecluster>
- BalancerMember http://confluencedc01.lab.inserve.local:8090 route=confluencedc01
- BalancerMember http://confluencedc02.lab.inserve.local:8090 route=confluencedc02
- # Security "we aren't blocking anyone but this the place to make those changes
- Order Deny,Allow
- Deny from none
- Allow from all
- </Proxy>
- # Here's how to enable the load balancer's management UI if desired
- <Location /balancer-manager>
- SetHandler balancer-manager
- # You SHOULD CHANGE THIS to only allow trusted ips to use the manager
- Order deny,allow
- Allow from all
- </Location>
- # Don't reverse-proxy requests to the management UI
- ProxyPass /balancer-manager !
- # Reverse proxy all other requests to the Confluence cluster
- ProxyPass / balancer://confluencecluster/ stickysession=ROUTEID
- ProxyPassReverse / balancer://confluencecluster
- ProxyPreserveHost on
- SSLProxyEngine On
- SSLEngine on
- SSLCertificateFile /etc/ssl/localcerts/star.lab.inserve.local.pem
- SSLCertificateKeyFile /etc/ssl/localcerts/star.lab.inserve.local.key
- SSLCertificateChainFile /etc/ssl/localcerts/labca.pem
- ErrorLog ${APACHE_LOG_DIR}/error.log
- CustomLog ${APACHE_LOG_DIR}/access.log combined
- </VirtualHost>