Embed Size (px)
Citation preview
Confluence Server
With Centrify as your identity service, you can choose single-sign-on (SSO) access to the Confluence web application with SP-initiated SAML SSO for SSO access directly through the Confluence web application). Enabling both methods ensures that users can log in to Confluence Server in different situations such as clicking through a notification email.
Confluence does not support SAML, but it accepts a custom plugin for individual companies to modify the authentication process to their own needs, including implement Single Sign-On. A custom plugin is a set of .jar files that are implemented using Atlassian's Seraph library, and will be deployed in the Confluence Server. A system administrator must change the Confluence configuration to use the plugin.
For more information about Single Sign-on Integration with JIRA and Confluence, see: https://confluence.atlassian.com/display/DEV/Single+Sign-on+Integration+with+JIRA+and+Confluence
With Centrify Confluence SAML plugin deployed in Confluence Server, any unauthenticated access to Confluence resources will be redirected to Centrify Admin Portal for authentication. After that, users will be redirected back to the requested resources.
Centrify Confluence SAML plugin has been tested in Confluence Server versions 5.6.6 and 6.1.2.
If Confluence is the first application you are configuring for SSO through Centrify Identity Services, read these topics before you get started: Introduction to application management
Configuring Single Sign-On (SSO)
Continue with Confluence Server SSO requirements.
Confluence Server SSO requirementsBefore you configure the Confluence Server web application for SSO, you need the following: A Confluence Server (On-Premise).
A system administrator account to the Confluence Server computer to deploy and configure the plugin.
1
Configuring Confluence Server in Admin Portal
To add and configure the Confluence Server application in Admin Portal:
1 In Admin Portal, click Apps, then click Add Web Apps.
The Add Web Apps screen appears.
2 On the Search tab, enter the partial or full application name in the Search field and click the search icon.
3 Next to the application, click Add.
4 In the Add Web App screen, click Yes to confirm.
Admin Portal adds the application.
5 Click Close to exit the Application Catalog.
The application that you just added opens to the Settings page.
6 Click the Trust page to begin configuring the application.
The UI is evolving in order to simplify application configuration. For example, many of the settings previously found on the Application Settings page are now on the Trust page.
• 2
You might have to select Manual Configuration to expose those settings, as shown in the following example.
Any previously configured applications retain their configuration and do not require reconfiguration. If you are configuring an application for the first time, refer to the Trust page for any settings previously found on the Application Settings page.
In addition, the description of how to choose and download a signing certificate in this document might differ slightly from your experience. See Choose a certificate file for the latest information.
Admin Portal user’s guide 3
7 Configure the following:
Note For information on optional Centrify Admin Portal configuration settings that you may wish to customize for your app, see Optional configuration settings.
Downloading the Centrify Confluence SAML plugin and signing certificate
To download the plugin and certificate:
1 Go to the Application Settings page for the Confluence Server app in Admin Portal.
2 Copy your IdP Issuer and save it where you can find it when Deploying and configuring Confluence SAML plugin in Confluence Server.
3 Copy your IdP Post URL and save it where you can find it when Deploying and configuring Confluence SAML plugin in Confluence Server.
4 Click Download Signing Certificate and save the .cer file where you can find it when Deploying and configuring Confluence SAML plugin in Confluence Server.
5 Click Download this plugin to be installed into your Confluence Server instance to download a .zip file containing the SAML plugin files, and save the file where you can find it when Deploying and configuring Confluence SAML plugin in Confluence Server.
Deploying and configuring Confluence SAML plugin in Confluence Server
This section requires a system administrator to place new files in the Confluence Server file system and modify Confluence configuration files. Note that this is a system administrator to the server hosting Confluence, not a Confluence (application) administrator.
Field Set it to What you do
Assertion Consumer Service URL Your Confluence Server host and port number.
Replace YOUR-CONFLUENCE-HOST-AND-PORT with your Confluence Server host and port number, if any. For example, if your Confluence Server URL is:
https://confluence.acme.com:8443
Replace YOUR-CONFLUENCE-HOST-AND-PORT with confluence.acme.com:8443.
Note: If your Confluence Server is hosted over HTTP, change https to http.
• 4
Note These instructions assume:
Confluence on Windows.
Your Confluence Server is installed at: C:\Program Files\Atlassian\Confluence.
To deploy and configure the Confluence SAML plugin:
1 Access the server hosting Confluence.
2 Stop the Confluence application. For example, in Windows 7, go to Control Panel > Administrative Tools > Services, then right-click Atlassian Confluence the service and select Stop.
Note The following instructions assume that your Confluence Server is located in C:\Program Files\Atlassian\Confluence. If you choose to specify a different location, substitute that location for C:\Program Files\Atlassian\Confluence from here forward.
3 Copy the .cer signing certificate file downloaded in Downloading the Centrify Confluence SAML plugin and signing certificate and place it in:C:\Program Files\Atlassian\Confluence\confluence\WEB-INF.
4 Copy the .zip file downloaded in Downloading the Centrify Confluence SAML plugin and signing certificate and place it in a temporary location (any location other than where it will be moved to in the next few steps).
5 Extract the .zip file.
You will get a readme file and a lib directory containing several .jar files.
6 Copy all the .jar files and paste them in:C:\Program Files\Atlassian\Confluence\confluence\WEB-INF\lib
7 Go to C:\Program Files\Atlassian\Confluence\confluence\WEB-INF\classes\seraph-config.xml.
8 Comment out the line with: <authenticator class= that is not commented out.
9 Below that line add the following lines:<!-- Centrify SAML -->
<authenticator class="com.centrify.cloud.saas.confluencesaml.SamlAuthenticator"/>
10 Save seraph-config.xml.
11 Open C:\Program Files\Atlassian\Confluence\confluence\WEB-INF\web.xml.
12 Find the last <servlet> defined.
13 Place your cursor below the last <servlet> defined, then copy/paste the following:<!-- Centrify SAML -->
<servlet>
Admin Portal user’s guide 5
<servlet-name>samlServlet</servlet-name>
<servlet-class>com.centrify.cloud.saas.confluencesaml.SamlServlet</servlet-
class>
<init-param>
<param-name>idpIssuerName</param-name>
<param-value><!-- Copy IdP Issuer from Application Settings in Centrify Identity Services and paste it here. --></param-value>
</init-param>
<init-param>
<param-name>idpCertFile</param-name>
<param-value><!-- Absolute file path to your signing certificate file --></param-value>
</init-param>
<init-param>
<param-name>audience</param-name>
<!-- After setting the audience value below, make sure you also set the same audience value in Admin Portal. -->
<param-value>Confluence</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
14 Set the <param-value> of idpIssuerName to the IdP Issuer that you copied from your Confluence Server SAML application in Downloading the Centrify Confluence SAML plugin and signing certificate.
15 Set the <param-value> of idpCertFile to the absolute file path to your signing certificate file. If you used the recommended path name in Step 3 and if your certificate file is named Confluence.cer, you would set <param-value> to:C:\Program Files\Atlassian\Confluence\Confluence.cer.
As shown here: <init-param>
<param-name>idpCertFile</param-name>
<param-value>C:\Program Files\Atlassian\Confluence\confluence\WEB-
INF\Confluence.cer<param-value>
</init-param>
16 Find the last <servlet-mapping> defined.
17 Place your cursor below the last <servlet-mapping> and copy/paste the following:<!-- Centrify SAML -->
<servlet-mapping>
<servlet-name>samlServlet</servlet-name>
<url-pattern>/saml</url-pattern>
</servlet-mapping>
18 Find the last <filter> defined.
• 6
19 Below the last <filter> add the following lines:<!-- Centrify SAML -->
<filter>
<filter-name>samlFilter</filter-name>
<filter-class>com.centrify.cloud.saas.confluencesaml.SamlFilter</filter-class>
<init-param>
<param-name>idpPostUrl</param-name>
<param-value></param-value>
</init-param>
<init-param>
<param-name>spIssuerName</param-name>
<param-value>Confluence</param-value>
</init-param>
<init-param>
<param-name>allowedURIs</param-name>
<param-value>
/saml,
/plugins/servlet/applinks/*,
/plugins/servlet/oauth/*,
/rest/*
</param-value>
</init-param>
</filter>
20 Set the <param-value> of idpPostUrl by copying the IdP Post URL from your Confluence Server SAML application in Admin Portal and pasting it inside <param-value></param-value> in the code you added in Step 19.
21 Above the <filter-mapping> with the <filter-name> of login, add the following lines:<!-- Centrify SAML -->
<filter-mapping>
<filter-name>samlFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
22 Save web.xml.
23 Start the Confluence application. For example, in Windows 7, go to Control Panel > Administrative Tools > Services, then right-click Atlassian Confluence the service and select Start.
Wait a few minutes for the service to start. The new settings that you just configured will be used after Confluence starts.
Note After configuration for SP-initiated SSO is complete, the Confluence application is automatically ready to link to other Atlassian apps released in that have also been
Admin Portal user’s guide 7
configured for SP-initiated SSO. For information about how to link the apps, see: https://confluence.atlassian.com/adminjiraserver073/using-applinks-to-link-to-other-applications-861253079.html
Note You can add additional paths to the list of <param-value> values for allowedURIs in the web.xml file for Atlassian apps released in Centrify Identity Services Cloud 17.10 or later. It is important that you do not change the /saml <param-value>.
24 (Optional) To configure the Confluence application for automatic provisioning, see Confluence provisioning.
Confluence provisioning
SCIM (System for Cross-domain Identity Management) is an open standard for automating the exchange of user identity information between identity domains, or IT systems. It can be used to automatically provision and deprovision accounts for users in external systems such as your custom SAML app. For more information about SCIM, see www.simplecloud.info.
If your application supports SCIM, you can set it up to enable provisioning by entering the Access Token and SCIM URL.
For more information about provisioning your app, see Setting up generic SCIM provisioning.
For more information about Confluence Server Single Sign-on Integration with JIRA and Confluence:
https://confluence.atlassian.com/display/DEV/Single+Sign-on+Integration+with+JIRA+and+Confluence
For configuration between Centrify SAML Plug-in and Confluence Server, contact Centrify Support.
Confluence Server specificationsEach SAML application is different. The following table lists features and functionality specific to Confluence Server.
Capability Supported? Support details
Web browser client Yes
Mobile client No
• 8
SAML 2.0 Yes
SP-initiated SSO Yes
IdP-initiated SSO Yes
Force user login via SSO only Yes
Separate administrator login after SSO is enabled
No
User or Administrator lockout risk Yes Because SP-initiated SSO always redirects users to Centrify and disables the function of Confluence login pages, users run the risk of being locked out of Confluence.
Automatic user provisioning No
Multiple User Types Yes SSO works the same way for all admin and non-admin user types.
Self-service password Yes Users can reset their own passwords. Resetting another user’s password requires administrator rights.
Access restriction using a corporate IP range
Yes You can specify an IP Range in the Admin Portal Policy page to restrict access to the application.
Capability Supported? Support details
Admin Portal user’s guide 9
• 10
