Important Update Effective February 1, 2024!
Due to recent changes in Jira and Confluence, we've made the tough decision to discontinue the OpenID Connect (OIDC)/OAuth app and no longer provide new versions for the newest Jira/Confluence releases as of January 31, 2024.
This is due to some necessary components no longer shipping with Jira/Confluence, which would require some extensive rewrites of the OIDC App.
Confluence Data Center
SAML Single Sign On is is tested with Confluence Data Center in the following environment.
Confluence-Nodes
The two Confluence-Nodes confluencedc01
and confluencedc02
are VMs running Debian 8 (Jessie) with Oracle Java version 1.8.0_66-b17.
The Confluence-version is 5.9.4, installed from the tgz-bundle.
The shared home-directory is shared using NFS.
server.xml is modified for the use behind a reverse proxy:
<Server port="8000" shutdown="SHUTDOWN" debug="0">
<Service name="Tomcat-Standalone">
<!-- proxyName, proxyPort and scheme must be configured -->
<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
proxyName="confluencedc59.lab.inserve.local"
proxyPort="443"
scheme="https"
maxThreads="200" minSpareThreads="10"
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol" />
<Engine name="Standalone" defaultHost="localhost" debug="0">
<Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false">
<Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
<!-- Logger is deprecated in Tomcat 5.5. Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
<Manager pathname="" />
</Context>
</Host>
</Engine>
</Service>
</Server>
Confluence is started and stopped using this systemd-configuration under /etc/systemd/system/confluence594.service:
[Unit]
Description=Confluence 5.9.4
After=network.target
[Service]
Type=simple
User=confluence
PIDFile=/opt/atlassian-confluence-5.9.4/confluence/work/catalina.pid
ExecStart=/opt/atlassian-confluence-5.9.4/bin/start-confluence.sh -fg
ExecStop=/opt/atlassian-confluence-5.9.4/bin/stop-confluence.sh
[Install]
WantedBy=multi-user.target
Database
PostgreSQL 9.4.3 is used as database running on host postgres01
, a VM running Debian 8 (Jessie)
Load Balancer/Reverse Proxy
Apache 2.4.10 is used as reverse proxy/load balancer. It also runs on host postgres01
. HTTPS is terminated on the reverse proxy.
This is the virtual host configuration:
<VirtualHost *:443>
ProxyRequests off
#
# confluence59.lab.inserve.local is set up as CNAME to postgres01 in the DNS
#
ServerName confluencedc59.lab.inserve.local
#
# Set a routeID-header. This is important to get sticky sessions: All requests from a client must
# be served by the same Confluence node.
# Without this header, WebSudo is not wirking and the SAMLSSO-Plugin caused redirection-loops between the Confluence nodes.
#
Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED
<Proxy balancer://confluencecluster>
BalancerMember http://confluencedc01.lab.inserve.local:8090 route=confluencedc01
BalancerMember http://confluencedc02.lab.inserve.local:8090 route=confluencedc02
# Security "we aren't blocking anyone but this the place to make those changes
Order Deny,Allow
Deny from none
Allow from all
</Proxy>
# Here's how to enable the load balancer's management UI if desired
<Location /balancer-manager>
SetHandler balancer-manager
# You SHOULD CHANGE THIS to only allow trusted ips to use the manager
Order deny,allow
Allow from all
</Location>
# Don't reverse-proxy requests to the management UI
ProxyPass /balancer-manager !
# Reverse proxy all other requests to the Confluence cluster
ProxyPass / balancer://confluencecluster/ stickysession=ROUTEID
ProxyPassReverse / balancer://confluencecluster
ProxyPreserveHost on
SSLProxyEngine On
SSLEngine on
SSLCertificateFile /etc/ssl/localcerts/star.lab.inserve.local.pem
SSLCertificateKeyFile /etc/ssl/localcerts/star.lab.inserve.local.key
SSLCertificateChainFile /etc/ssl/localcerts/labca.pem
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>