The next series of posts will focus on how SAML 2.0 based SSO can be configured for specific third party applications using the WSO2 Identity Server as the IdP. Once all the configurations are complete, the user will have the ability to use any of these applications, having been authenticated once by the WSO2 Identity Server.
This post is on how SAML 2 based Single Sign On can be configured for Atlassian Confluence using the WSO2 Identity Server as the Identity Provider.
WSO2 Identity Server
The WSO2 Identity Server download link and the installation guide are given below,
The Confluence download link and installation guide and given below. This tutorials has been tested with the Confluence Version 5.7.1, slight modifications might be required for other versions.
LastPass Confluence SAML Plugin
The plugin is required to configure SAML 2.0 SSO for confluence. The download link is given below and the installation guide can be found in the file named INSTALL in the main folder.
IMPORTANT: Step 1 should be completed before the plugin installation as the plugin installation disables the default user login process which makes it difficult to do configurations inside the confluence dashboard.
Step 1: Configuring Confluence LDAP
This step requires a working knowledge on LDAP, follow this link if you are unfamiliar with the concept.
Confluence by default uses an internal LDAP to keep track of the users and permissions. In order to integrate the WSO2 IS with Confluence, both LDAPs should point to the same LDAP instance. Here we are configuring the confluence LDAP instance to point to the WSO2 IS LDAP.
- Once inside the confluence dashboard, click on the cog icon, on the top pane and select User Management.
- Click on the User Directories link on the left-hand pane.
- Select Add Directory then select LDAP from the drop down menu.
- The configuration is given below
Test the configuration while having the WSO2 IS running. Then save.
- This configuration was done after configuring the WSO2 IS to accept email authentication. The configuration would slightly change unless this is done. See here for more information.
- WSO2 IS by default uses port 10389 for the LDAP, this can be changed by changing the <IS_HOME>/repository/conf/user-mgt.xml file.
Step 2: Configuring Confluence
- Stop Confluence and install the LastPass plugin.
- Change the name of idp-metadata.xml.sample to idp-metadata.xml and sp-metadata.xml.sample to sp-metadata.xml. These two files are found in your <CONFLUENCE_HOME> directory.
- Change the <CONFLUENCE_HOME>/idp-metadata.xml as follows
- Change the entityID value to the issuer name you will be configuring the Service Provider in your IdP with. For this tutorial we will be setting this as “LastPass-Confluence”.
- Replace the <md:SingleSignOnService….> tag with
<md:SingleSignOnService Binding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect” Location=“https://localhost:9443/samlsso>
- Replace the <md:SingleLogoutService….> tag with
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:9443/samlsso"/>
- Replace the “cert-goes-here” between the <ds:X509Certificate> tags with your certificate. WSO2 IS default certificate can be found here.
(Use without the –BEGIN– and –ENG– tags)
NOTE: The edited idp-metadata.xml file should look like this.
4. Change the <CONFLUENCE_HOME>/sp-metadata.xml as follows
- Change the entityID to the issuer value as above, in this case to “LastPass-Confluence”.
- Replace “http://confluence.example.com ” with your confluence URL, in this case that is “http://localhost:PORT ” . Replace PORT with the port confluence is running on, by default it is 8090.
NOTE: The edited sp-metadata.xml file should look like this.
Step 3: Configuring WSO2 IS
- Select Add under the Service Provider section on the left pane.
- Give a name and register the Service Provider.
- Click on “Inbound Authentication Configuration” under that click on “SAML Web SSO Configuration”. Then click on “Configure”
- Give the following values
- Issuer = LastPass-Confluence (The value has to equal the value we gave for issuer in Step 2)
- Assertion Consumer URL = http://localhost:8090/saml_acs.jsp
- Check “Use fully qualified username in the NameID”
- Check “Enable Response Signing“
- Check “Enable Assertion Signing”
- Check “Enable Single Logout“
- Click Register then update.
Step 4: Patch the WSO2 IS
The Identity Server needs to be patched to include an attribute of the authentication statement. This is an optional attribute according to the SAML Specification, so the IS does not set it. The plugin searches for this attribute and throws an error if it is unavailable.
Add the following line in the buildSAMLAssertion() method after initializing the authStmt in this class,
Step 5: Run the Server
Now we are all set, run Confluence and the WSO2 IS. The Confluence default url should redirect you to the WSO2 IS authentication page. When you enter the credentials, you will be redirected to the Confluence Dashboard of the logged in user.
Do drop a comment if you have any problems. Have fun! :)