Using the Confluence On Premises SAML App
In addition to providing the Confluence Cloud Web application through the Okta Integration Network, Okta also supports single sign-on integration between Okta and the Confluence On-Premises SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IDP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on a chiclet, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in.. To configure the integration, you must install Okta's custom Confluence authenticator on your Confluence server. The Okta Confluence Authenticator Version History article lists the Confluence on-premise versions that support recent versions of the JAR. You can access the latest version of the okta-confluence.jar file from the Okta Downloads page. Download the file before you begin the integration.
For more information about Confluence custom authenticators, refer to the page Single Sign-on Integration with JIRA and Confluence on the Atlassian website. For information about configuring provisioning for the app, see Configuring Provisioning for Confluence (Atlassian).
Note: To ensure that communication between your on-premise Confluence server and Okta is not blocked, you may need to add Okta IP addresses to your whitelist.
Add the On-Premise App to Okta
Note: Steps 5 and 8 below provide links to other documents with additional instructions.
Download the appropriate version of the okta-confluence.jar file from the Okta Downloads page. For information about which version of the JAR to download for use with your Confluence On-Premises SAML app, see Okta Confluence Authenticator Version History. Later you will copy this file to your Confluence server.
- Go to Applications > Applications.
- Click Add Application and search for Confluence On-Premise SAML.
- Click Add.
- Follow the onscreen prompts. Detailed instructions for this part of the installation are provided in Applications.
When you have completed initial installation, the Home page of the newly-created app appears.
- On the Assignments tab, assign users to the Confluence On-Premises SAML app.
- Click the Sign On tab.
- In the Settings section, click View Setup Instructions to open the article How to Configure Confluence On-Premise SAML Application.
The procedure is summarized as follows:
- Create a file okta-config-confluence.xml on the Confluence server.
- Paste the provided configuration into okta-config-confluence.xml.
- Update your [confluence_webdir]/WEB-INF/classes/seraph-config.xml:
- Copy okta-confluence.jar to the [confluence_webdir]/WEB-INF/lib directory.
- Restart your Confluence service.
Optional - Filter User Access by IP Address, User Name, or Group Name
You can specify whether SAML authentication or service provider authentication is used by IP address, user name, or group name. This option is set in the okta-config-confluence.xml file in the following tags.
The portions highlighted in blue in following code shows the relevant sections of an okta-config-confluence.xml file.
The IP range in the <oktaUsers> tag specifies the IP addresses that use the SAML toolkit for authentication. The values in the <ipFrom> and <ipTo> tags specify IP addresses. These tags can contain full IP addresses as shown below or a mask such as 182.0.*.* . The <ipTo> tag is optional. Omit it if the range is completely specified in the <ipFrom> tag. This range has higher priority than the range specified in the <spUsers> tag below.
The IP range in the <spUsers> tag specifies the IP addresses that use the native service provider authentication. The values in the <ipFrom> and <ipTo> tags specify IP addresses, and work as described above. This range has low priority than the range specified in the oktaUsers> tag above.
<!--The values in the <username> tags contained in the <spUsers> tag specify usernames to process with the native service provider authentication. Any number of <username></username> tags are permitted.
The values in the <groupname> tags contained in the <spGroups> tag specify group names to process with the native service provider authentication. Any number of <groupname></groupname> tags are permitted.
If there are any duplications in IP addresses or if an IP address is inadvertently excluded, the following four rules determine the processing procedure.
- If a user is matched in both ranges, the SAML toolkit is used for authentication.
- If the <allowedAddresses> tag is not present, the SAML toolkit is used for authentication.
- If user is not matched in either range, the SAML toolkit is used for authentication.
- The native Confluence authenticator (the service provider authenticator) is used only if a user is matched in the <spUsers> range and not in the <oktaUsers> range.