Enable default login page to bypass SAML in Confluence Data Center

Still need help?

The Atlassian Community is here for you.

Ask the community

This article applies to version 4.0 of the SSO for Atlassian Data Center app. The version bundled with your version of Confluence may be different.
See documentation for older versions below.

Purpose

The SSO plugin supports a bypass parameter to login to Confluence directly without using your configured IDP. This query parameter, auth_fallback, is disabled by default, works only on the login page URL, and is useful for troubleshooting SSO issues. An example of such a URL for Confluence is http://confluence.com/login.action?auth_fallback. If the application is configured to allow bypassing SSO authentication, then users will be able to access the default login page directly by providing this parameter.

You can also enable SSO bypass for all users and all URLs by setting the Login mode to Use OpenID Connect / SAML as secondary authentication in SSO 2.0 configuration. With this option enabled, all users will be able to log in through the default login page directly, and will be able to log in through your IDP by going to https://<base-url>/plugins/servlet/external-login.

Note that enabling this will mean that users are not automatically redirected to log in through your IDP when visiting Confluence, and may find this disruptive. To minimise disruption to active users, you may prefer the approach detailed below.


Enabling the default login page using the REST API

In order to make use of this functionality, the allow-redirect-override flag needs to be enabled via REST API. This can be done with other REST clients or via cURL, but the following is a user-friendly approach:

1. Download Postman for your browser (or use your own if you have an alternate REST client).

2. Open Postman.

3. Select GET from the dropdown menu and select Basic Auth from the Authorization tab (enter the admin credentials for Confluence).

4. Enter the following URL, modified for your environment: http(s)://<base-url>/rest/authconfig/1.0/sso (e.g. https://confluence.com/rest/authconfig/1.0/sso ).

5. This should return something like the following after clicking SEND if OIDC is configured:

Example output for OIDC configuration
{
    "sso-type": "OIDC",
    "redirect-on-login": true,
    "allow-redirect-override": false,
    "include-customer-logins": false,
    "enable-remember-me": true,
    "issuer-url": "https://<redacted>-testing.okta.com",
    "client-id": "<redacted>gUe4x5",
    "discovery-enabled": true,
    "username-claim": "preferred_username"
}

And an output like this if SAML is configured: 

Example output for SAML configuration
{
    "certificate": "-----BEGIN CERTIFICATE-----<redacted>==-----END CERTIFICATE-----",
    "sso-type": "SAML",
    "redirect-on-login": false,
    "allow-redirect-override": false,
    "include-customer-logins": false,
    "enable-remember-me": true,
    "idp-type": "GENERIC",
    "sso-url": "https://<redacted>-testing.okta.com/app/atlassianorg621049_samltest_1/<redacted>/sso/saml",
    "sso-issuer": "http://www.okta.com/<redacted>"
}


We will need to set the allow-redirect-override field to true.

6. To do this, open a new tab in Postman.

7. Select PATCH from the dropdown and enter the URL http(s)://<base-url>/rest/authconfig/1.0/sso (e.g. https://confluence.com/rest/authconfig/1.0/sso ).

8. Select Basic Auth from the Authorization tab and enter the credentials for the admin account.

9. Go to the Body tab, select raw from the radio buttons. Select JSON (application/json) from the dropdown menu.

10. Use the results from the command as reference to set allow-redirect-override set to true:

{
  "allow-redirect-override": true
}

11. You should get a 200 or 304 status when pressing the Send button.

12. You will now be able to access http://confluence.com/login.action?auth_fallback to bypass SSO. It's important to remember to set the flag back to false once the maintenance has been completed in order to restore the intended behavior. To do this, issue the same PATCH request, but with false instead of true.

13. Once this is done, verify that allow-redirect-override is back to false by sending the same GET request to http(s)://<base-url>/rest/authconfig/1.0/sso described earlier. 

Database

The SSO configuration can also be checked directly in the database as well through the following query:

select * from bandana where bandanakey like 'com.atlassian.plugins.authentication.sso.config%';

However, we don't recommend changing these values directly on the DB. It's safer to use the REST API endpoint, but the query above can be used to check the current settings if needed.


For app version 3.2 or earlier

If you're running SSO for Atlassian Data Center app version 3.2 or earlier, the steps are different. 

See documentation for app version 3.2...

Solution to Enable the default login page using REST API

In order to make use of this functionalitythe allow-saml-redirect-override flag needs to be enabled via REST API. This can be done with other REST clients or via cURL, but the following is a user-friendly approach:

1. Download Postman for your browser (or use your own if you have an alternate REST client)

2. Open Postman

3. Select GET from the dropdown menu and select Basic Auth from the Authorization tab (enter the admin credentials)

4. Enter the following URL, modified for your environment: https://localhost:PORT/contextPath/rest/authconfig/1.0/saml (e.g. https://confluence.com/rest/authconfig/1.0/saml )

5. This should return something like the following after clicking SEND:

{
  "sso-url": "https://dev-486166.oktapreview.com/app/jeancodev486166_confdc_1/exk9awjfupbFE8VQp0h7/sso/saml",
  "sso-issuer": "http://www.okta.com/exk9awjfupbFE8VQp0h7",
  "certificate": "MIIDpDCCAoygAwIBAgIGAVl1EwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00ODYxNjYxHDAaBgkqhkiG9w0BCQEW\nDWluZm9Ab2t0YS5jb20wHhcNMTcwMTA2MjExMjExWhcNMjcwMTA2MjExMzExWjCBkjELMAkGA1UE\nBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV\nBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDg2MTY2MRwwGgYJ\nKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\nn5+MbxEb0rRA5kDBxVvzNRO3otJS7UMB3ldTEqivmieXvkXiSLjVYQJr7gbg+OYAX12V35HmrIs6\nRiT/d4trsePI09hRjQD2eMXsd11v1eKmoyAbsV026LZTHoVpXZQyeK383chJLEp2G6lRVdA/uFpP\nj5OCSiB5jVhEdRXymbfeESecMbh5YJu9H025sDBiqyzDHmZXunPdmJ0fyFpY9Q98bMfi7KUICHff\nlncSYQRDYax17wTO/2Nu4akWVESiBaedBlXAKuEOoB26ysxbQiUATOJTKodiGydyxLAlk2DV+Uzz\nDAeN8mQw7y4MArrSDqTWnTbtg3SJl6e0Ho/CGQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBNy/LR\nG85t3nuk4bnh2XRWtOXlSKtq6fVMAtJ4kd8vxB8M8DyFWDIaoXTd35COs1p2LX176hdBKjgau8Ux\nNUOJ3MIOw8qQAwFWguBHFWYhrcgDCVtCvz3wLIBRZehW/tX2ah+M8ATsn8oLPHaL2W11Z0JOiEcV\nIdAu6CyR1iDcVjCT7DV3h8aUWaLjfnfcJasEqiTEs2DH1d8E+GdW/lWaGiAdVlnxmxv5rvkwFxvZ\nDJyk2VPxZmFVdK16cUbPgnk5Bge7wnNaQZOUBmUZKAKmzeA+22lhKPpv8IGTIwEpcoUHggAdhvrT\nHfcvAs4OyFQgeaBA5//UjZVa/MfAFmqP",
  "user-attribute": null,
  "allow-saml-redirect-override": false,
  "include-customer-logins": false,
  "redirect-on-login": false,
  "enable-remember-me": false
}

We will need to set the allow-saml-redirect-override field to true

6. To do this, open a new tab in Postman

7. Select PUT from the dropdown and enter the URL http://localhost:PORT/contextPath/rest/authconfig/1.0/saml (e.g. https://confluence.com/rest/authconfig/1.0/saml )

8. Select Basic Auth from the Authorization tab and enter the credentials for the admin account

9. Go to the Body tab, select Raw from the radio button. Select JSON from the dropdown menu.

10. Use the results from the command as reference to set allow-saml-redirect-override set to true:

{
  "allow-saml-redirect-override": true
}

11. You should get a 200 or 304 status when pressing the Send button

12. You will now be able to access http://confluence.com/login.action?auth_fallback to bypass SAML. It's important to remember to set the flag back to false once the maintenance has been completed in order to restore the intended behavior.

13. You should be able to set SAML to primary authentication now from the Cogwheel → General configuration → SAML Authentication page.

Database

The SAML configuration can also be checked on the database side as well through the following query:

select * from bandana where bandanakey like '%samlconfig%';

However, we don't recommend changing them directly on the DB, it is safer to use the REST API endpoint for that end. The query above can be used to check the current settings if needed.



Last modified on Oct 6, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.