This page describes the redirecting process of the SAML Single Sign On on a Confluence example page.

To follow and reproduce this points, please activate the redirection for your plugin and enable detailed logging for the plugin : Troubleshooting

1 ) Forced redirection to the SAML Single Sign On Servlet

A not authenticated user access a Confluence internal page :

The user will be catched from the plugin and redirected to the SAML Single Sign On Servlet. The original destination page is attached as redirectTo Parameter to the URL :

Debug Log:

DEBUG [http-nio-8443-exec-16] [atlasplugins.samlsso.servlet.RedirectToSsoFilter] doFilter Redirecting to
DEBUG [http-nio-8443-exec-1] [atlasplugins.samlsso.servlet.SamlSsoServlet] processRequestFromClient Original url is /pages/viewpage.action?spaceKey=TEST&title=TESTPAGE

2 ) Redirection to the Identity Provider

The plugin creates the SAML Request and redirecting the user to the Identity Provider.

The destination URL consists of the IdP POST Binding URL + SAMLRequest + RelayState :

Debug Log:

DEBUG [http-nio-8443-exec-1] [atlasplugins.samlsso.servlet.SamlSsoServlet] processRequestFromClient Redirecting to:

3 ) Redirection back to the SAML Single Sign On Servlet

The Identity Provider redirects the users back to the SAML Single Sign On Servlet:

The SAMLResponse from the Identity Provider contains the RelayState Parameter, which you can check in the Debug Log:

DEBUG [http-nio-8443-exec-6] [atlasplugins.samlsso.servlet.SamlSsoServlet] processRequestFromIdP RelayState parameter is /pages/viewpage.action?spaceKey=TEST&title=TESTPAGE

4 ) Redirection to the original destination page

After the user authentication in Confluence, the plugin is now using the RelayState, to redirect the user correctly to the original destination page:

Debug Log:

DEBUG [http-nio-8443-exec-6] [atlasplugins.samlsso.servlet.SamlSsoServlet] processRequestFromIdP Redirecting to