Enable auth_fallback to bypass SAML in Confluence Data Center

Still need help?

The Atlassian Community is here for you.

Ask the community

Purpose

It's possible to bypass SAML authentication if the product is configured to allow bypassing and a special query parameter is provided - auth_fallback

The parameter works only on the login page URL and is useful for troubleshooting SAML issues. An example of such URL for JIRA is http://localhost:5990/contextPath/login.action?auth_fallback . If the application is configured to allow bypassing SAML authentication, then the user will end up on the regular login page. If the configuration does not allow for using auth_fallback, then the regular SAML flow will be initiated.

Solution to Enable auth_fallback via REST API

In order to make use of the auth_fallback functionalitythe allow-saml-redirect-override flag needs to be enabled via REST API. This can be done with other REST clients or via cURL, but the following is a user-friendly approach:

  1. Download Postman for your browser (or use your own if you have an alternate REST client)
  2. Open Postman
  3. Select GET from the dropdown menu and select Basic Auth from the Authorization tab (enter the admin credentials)
  4. Enter the following URL, modified for your environment: https://localhost:PORT/contextPath/rest/authconfig/1.0/saml (e.g. https://confluenceprod.net/confluence/rest/authconfig/1.0/saml )
  5. This should return a JSON respone with the SAML settings, which will look similar to this:

    {
      "sso-url": "https://dev-486166.oktapreview.com/app/jeancodev486166_jiradc_1/exk9awjfupbFE8VQp0h7/sso/saml",
      "sso-issuer": "http://www.okta.com/exk9awjfupbFE8VQp0h7",
      "certificate": "MIIDpDCCAoygAwIBAgIGAVl1oNWbMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00ODYxNjYxHDAaBgkqhkiG9w0BCQEW\nDWluZm9Ab2t0YS5jb20wHhcNMTcwMTA2MjExMjExWhcNMjcwMTA2MjExMzExWjCBkjELMAkGA1UE\nBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV\nBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDg2MTY2MRwwGgYJ\nKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\nn5+MbxEb0rRA5kDBxVvzNRO3otJS7UMB3ldTEqivmieXvkXiSLjVYQJr7gbg+OYAX12V35HmrIs6\nRiT/d4trsePI09hRjQD2eMXsd11v1eKmoyAbsV026LZTHoVpXZQyeK383chJLEp2G6lRVdA/uFpP\nj5OCSiB5jVhEdRXymbfeESecMbh5YJu9H025sDBiqyzDHmZXunPdmJ0fyFpY9Q98bMfi7KUICHff\nlncSYQRDYax17wTO/2Nu4akWVESiBaedBlXAKuEOoB26ysxbQiUATOJTKodiGydyxLAlk2DV+Uzz\nDAeN8mQw7y4MArrSDqTWnTbtg3SJl6e0Ho/CGQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBNy/LR\nG85t3nuk4bnh2XRWtOXlSKtq6fVMAtJ4kd8vxB8M8DyFWDIaoXTd35COs1p2LX176hdBKjgau8Ux\nNUOJ3MIOw8qQAwFWguBHFWYhrcgDCVtCvz3wLIBRZehW/tX2ah+M8ATsn8oLPHaL2W11Z0JOiEcV\nIdAu6CyR1iDcVjCT7DV3h8aUWaLjfnfcJasEqiTEs2DH1d8E+GdW/lWaGiAdVlnxmxv5rvkwFxvZ\nDJyk2VPxZmFVdK16cUbPgnk5Bge7wnNaQZOUBmUZKAKmzeA+22lhKPpv8IGTIwEpcoUHggAdhvrT\nHfcvAs4OyFQgeaBA5//UjZVa/MfAFmqP",
      "user-attribute": null,
      "allow-saml-redirect-override": false,
      "include-customer-logins": false,
      "redirect-on-login": false,
      "enable-remember-me": false
    }

    The following steps explain how to update the allow-saml-redirect-override field to true

  6. Open a new tab in Postman

  7. Select PUT from the dropdown and enter the URL http://localhost:PORT/contextPath/rest/authconfig/1.0/saml (e.g. https://confluenceprod.net/confluence/rest/authconfig/1.0/saml)

  8. Select Basic Auth from the Authorization tab and enter the credentials for the admin account

  9. Go to the Body tab, select Raw from the radio button. Select JSON from the dropdown menu.

  10. Use the results from the command as reference to set allow-saml-redirect-override set to true:

    {
      "allow-saml-redirect-override": true
    }
  11. You should get a 200 or 304 status when pressing the Send button and you will now be able to access http://localhost:PORT/contextPath/login.action?auth_fallback to bypass SAML. It's important to remember to set the flag back to false once the maintenance has been completed in order to restore the intended behavior. 


Newer versions of the SAML app (v4.0.1+) are instead called SSO for Atlassian Data Center and include additional functionality. In those newer versions the REST endpoint and field have also been renamed. If using one of those versions then the following changes to the above need to be made:

Solution to Enable auth_fallback via database query

The allow-saml-redirect-override flag can be retrieved via the following SQL query:

SELECT * FROM BANDANA WHERE BANDANAKEY='com.atlassian.plugins.authentication.samlconfig.allow-saml-override';

(info) Considering that you haven't enabled auth_fallback, you should expect the value to be set as "false". 


To enable it, set allow-saml-redirect-override to "true" via the following query:

UPDATE BANDANA SET BANDANAVALUE='<string>true</string>' WHERE BANDANAKEY='com.atlassian.plugins.authentication.samlconfig.allow-saml-override';

As above, in the newer versions of the SAML app (v4.0.1+) that is now called SSO for Atlassian Data Center, the relevant BANDANAKEY has also been renamed to:

  • com.atlassian.plugins.authentication.sso.config.allow-redirect-override



Last modified on May 3, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.