Access Manager (Sun Identity Server) custom Seraph authenticator for Confluence

Added by Eric Black, last edited by Michael Losev on Dec 12, 2007  (view change)

I have been successful creating a Seraph authenticator for Sun's Access Manager using the attached files. It probably could be implemented cleaner using just servlet classes rather than the attached jsps if someone wanted to do that.

The way it is implemented is to present the user a customized login page, which forwards to a Confluence page on success or back to the login page on error. The customized SSOAuthenticator class then will grab the SSO information from the session and set the appropriate variables.

This is the seraph.xml file:

<security-config>
    <parameters>
        <init-param>
            <param-name>login.url</param-name>
<!--
            <param-value>/login.action?os_destination=${originalurl}</param-value>
-->
            <param-value>/commonLogin/confluence_login.jsp?os_destination=${originalurl}</param-value>
        </init-param>


        <init-param>
            <param-name>link.login.url</param-name>
            <param-value>/login.action</param-value>
        </init-param>
        <init-param>
            <param-name>cookie.encoding</param-name>
            <param-value>cNf</param-value>
        </init-param>
        <init-param>
            <param-name>login.cookie.key</param-name>
            <param-value>seraph.confluence</param-value>
        </init-param>

        <!--only basic authentication available-->
        <init-param>
            <param-name>authentication.type</param-name>
            <param-value>os_authType</param-value>
        </init-param>
    </parameters>

    <rolemapper class="com.atlassian.confluence.security.ConfluenceRoleMapper"/>
    <controller class="com.atlassian.confluence.setup.seraph.ConfluenceSecurityController"/>
<!--
    <authenticator class="com.atlassian.confluence.user.ConfluenceAuthenticator"/>
-->
    <authenticator class="com.company.seraph.SSOAuthenticator"/>

    <services>
        <service class="com.atlassian.seraph.service.PathService">
            <init-param>
                <param-name>config.file</param-name>
                <param-value>seraph-paths.xml</param-value>
            </init-param>
        </service>
    </services>

    <interceptors>
        <interceptor name="login-logger" class="com.atlassian.confluence.user.ConfluenceLoginInterceptor"/>
    </interceptors>
</security-config>

For our current implementation, all users are not permitted into Confluence, so if a user is authenticated by Access Manager but is not a Confluence user, we needed to send back a 403 (forbdden) error code and define it in the web.xml file for the error page.

<error-page>
        <error-code>403</error-code>
        <location>/commonLogin/error.html</location>
    </error-page>

Labels

authenticator authenticator Delete
access access Delete
manager manager Delete
identity identity Delete
server server Delete
sso sso Delete
plugin plugin Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Comments (2)

 

  1. Nov 04, 2006

    Thorleif Wiik says:

    Great to have this !

    Great to have this !

  2. Apr 30

    Benjamin Renaud says:

    Where do you package the class? Where does it have to be for Confluence to see i...

    Where do you package the class? Where does it have to be for Confluence to see it?