This page describes the redirecting process of the SAML Single Sign On for Data Center plugin on a Confluence example page.

To follow and reproduce this points, please activate the redirection for your plugin and enable detailed logging for the plugin : Troubleshooting

1 ) Forced redirection to the SAML Single Sign On Servlet

A not authenticated user accesses a Confluence Data Center internal page : https://confluence5911.lab.resolution.de/display/TEST/TESTPAGE

The user will be catched from the plugin and redirected to the SAML Single Sign On Servlet. The original destination page is attached as redirectTo Parameter to the URL : 
https://confluence5911.lab.resolution.de/plugins/servlet/samlsso?redirectTo=%2Fpages%2Fviewpage.action%3FspaceKey%3DTEST%26title%3DTESTPAGE

Debug Log:

DEBUG [http-nio-8443-exec-16] [atlasplugins.samlsso.servlet.RedirectToSsoFilter] doFilter Redirecting to https://confluence5911.lab.resolution.de/plugins/servlet/samlsso?redirectTo=%2Fpages%2Fviewpage.action%3FspaceKey%3DTEST%26title%3DTESTPAGE
DEBUG [http-nio-8443-exec-1] [atlasplugins.samlsso.servlet.SamlSsoServlet] processRequestFromClient Original url is /pages/viewpage.action?spaceKey=TEST&title=TESTPAGE

2 ) Redirection to the Identity Provider

The SAML SSO for Atlassian Data Center plugin creates the SAML Request and redirects the user to the Identity Provider.

The destination URL consists of the IdP POST Binding URL + SAMLRequest + RelayState :

http://adfs01.lab.resolution.de:8080?SAMLRequest=pZHBbsIwEER%2FJfKdxAmlohYJQkWVkOgFaA%2B9GduQNPZu6rVRP78GKRKHHir1uPLO7MzzYvntbHYxnjqEmpU5Z5kBhbqDc83eDi%2BTOVs2C5LODmIVQws78xUNhSzpgMTtoWbRg0BJHQmQzpAISuxXr1tR5VwMHgMqtCxbERkf0qFnBIrO%2BL3xl06Zt922Zm0IA4miUAgnG1MGM3sqy9zKY%2B4NoY1XYa5NMdh47oCK5HWxJhTXCETIsnWK1YEMtyZXu%2BQm9Yn4Ly5izuep6mZdM6lVj61yqBGt1W372QOeUVndqwHS0Dp3bG2ftomi2QAFCaFmFS8fJ2U5mfJDORUVFzOe84fqg2XvI85Un43wbmL%2Fd2xyhMWa%2F6JZFPcRmnG8%2F87mBw%3D%3D&RelayState=%2Fpages%2Fviewpage.action%3FspaceKey%3DTEST%26title%3DTESTPAGE

Debug Log:

DEBUG [http-nio-8443-exec-1] [atlasplugins.samlsso.servlet.SamlSsoServlet] processRequestFromClient Redirecting to: http://adfs01.lab.resolution.de:8080?SAMLRequest=pZHBbsIwEER%2FJfKdxAmlohYJQkWVkOgFaA%2B9GduQNPZu6rVRP78GKRKHHir1uPLO7MzzYvntbHYxnjqEmpU5Z5kBhbqDc83eDi%2BTOVs2C5LODmIVQws78xUNhSzpgMTtoWbRg0BJHQmQzpAISuxXr1tR5VwMHgMqtCxbERkf0qFnBIrO%2BL3xl06Zt922Zm0IA4miUAgnG1MGM3sqy9zKY%2B4NoY1XYa5NMdh47oCK5HWxJhTXCETIsnWK1YEMtyZXu%2BQm9Yn4Ly5izuep6mZdM6lVj61yqBGt1W372QOeUVndqwHS0Dp3bG2ftomi2QAFCaFmFS8fJ2U5mfJDORUVFzOe84fqg2XvI85Un43wbmL%2Fd2xyhMWa%2F6JZFPcRmnG8%2F87mBw%3D%3D&RelayState=%2Fpages%2Fviewpage.action%3FspaceKey%3DTEST%26title%3DTESTPAGE


3 ) Redirection back to the SAML Single Sign On Servlet

The Identity Provider redirects the users back to the SAML Single Sign On Servlet:

https://confluence5911.lab.resolution.de/plugins/servlet/samlsso

The SAMLResponse from the Identity Provider contains the RelayState Parameter, which you can check in the Debug Log:

DEBUG [http-nio-8443-exec-6] [atlasplugins.samlsso.servlet.SamlSsoServlet] processRequestFromIdP RelayState parameter is /pages/viewpage.action?spaceKey=TEST&title=TESTPAGE


4 ) Redirection to the original destination page

After the user authentication in Confluence, the plugin is now using the RelayState, to redirect the user correctly to the original destination page:

https://confluence5911.lab.resolution.de/pages/viewpage.action?spaceKey=TEST&title=TESTPAGE

Debug Log:

DEBUG [http-nio-8443-exec-6] [atlasplugins.samlsso.servlet.SamlSsoServlet] processRequestFromIdP Redirecting to https://confluence5911.lab.resolution.de/pages/viewpage.action?spaceKey=TEST&title=TESTPAGE