Enable default login page to bypass SAML in Confluence Data Center

Still need help?

The Atlassian Community is here for you.

Ask the community

This article applies to version 4.X.X of the SSO for Atlassian Data Center app. The version bundled with your version of Confluence may be different.
See documentation for older versions below.

Purpose

The SSO plugin supports a bypass parameter to login to Confluence directly without using your configured IDP. This query parameter, auth_fallback is disabled by default, works only on the login page URL, and is useful for troubleshooting SSO issues. An example of such a URL for Confluence is http://<base-url>/login.action?auth_fallback (e.g. http://confluence.com/login.action?auth_fallback). If the application is configured to allow bypassing SSO authentication, then users will be able to access the default login page directly by providing this parameter.

When using SSO for Atlassian Data Center app version 4.0.X or 4.1.X, you can also enable SSO bypass for all users and all URLs by setting the Login mode to Use OpenID Connect / SAML as secondary authentication in SSO 2.0 configuration. With this option enabled, all users will be able to log in through the default login page directly and will be able to log in through your IDP by going to https://<base-url>/plugins/servlet/external-login.

When using SSO for Atlassian Data Center app version 4.2.X,  you can also enable SSO bypass for all users and all URLs by enabling the Show on login page for the Login Option "Username and password" in Authentication Methods configuration. This is possible as starting in v4.2.0, Multiple IdPs support was introduced. 

Note that enabling this will mean that users are not automatically redirected to log in through your IDP when visiting Confluence, and may find this disruptive. To minimize disruption to active users, you may prefer the approach detailed below.


Method-1:  REST API

In order to make use of this functionality, the allow-redirect-override flag (or enable-authentication-fallback flag, depending on the version) needs to be enabled via REST API. This can be done with other REST clients or via cURL, but the following is a user-friendly approach:

1. Download Postman for your browser (or use your own if you have an alternate REST client).

2. Open Postman.

3. Select GET from the dropdown menu and select Basic Auth from the Authorization tab (enter the admin credentials for Confluence).

Please bear in mind, the '

{"message":"Basic Authentication has been disabled on this instance."

4. Enter the following URL, modified for your environment: http(s)://<base-url>/rest/authconfig/1.0/sso (e.g. https://confluence.com/rest/authconfig/1.0/sso ).

5. This should return something like the following after clicking SEND if OIDC is configured:

Example output for OIDC configuration
{
    "sso-type": "OIDC",
    "redirect-on-login": true,
    "allow-redirect-override": false,
    "include-customer-logins": false,
    "enable-remember-me": true,
    "issuer-url": "https://<redacted>-testing.okta.com",
    "client-id": "<redacted>gUe4x5",
    "discovery-enabled": true,
    "username-claim": "preferred_username"
}

And an output like this if SAML is configured: 

response for SSO for Atlassian Data Center app version 4.2.x and newer...
Example output for SAML configuration
{
    "show-login-form": false,
    "enable-authentication-fallback": true,
    "show-login-form-for-jsm": false,
    "last-updated": "2021-12-13T15:43:25.388+01:00"
}

We will need to set the enable-authentication-fallback field to true.


response for SSO for Atlassian Data Center app version 4.1.x and older...
Example output for SAML configuration
{
    "certificate": "-----BEGIN CERTIFICATE-----<redacted>==-----END CERTIFICATE-----",
    "sso-type": "SAML",
    "redirect-on-login": false,
    "allow-redirect-override": false,
    "include-customer-logins": false,
    "enable-remember-me": true,
    "idp-type": "GENERIC",
    "sso-url": "https://<redacted>-testing.okta.com/app/atlassianorg621049_samltest_1/<redacted>/sso/saml",
    "sso-issuer": "http://www.okta.com/<redacted>"
}

We will need to set the allow-redirect-override field to true.



6. To do this, open a new tab in Postman.

7. Select PATCH from the dropdown and enter the URL http(s)://<base-url>/rest/authconfig/1.0/sso (e.g. https://confluence.com/rest/authconfig/1.0/sso ).

  • Some versions of Confluence may return an error with 405 - Method Not Allowed when attempting this. In this case, use PUT instead of PATCH method or vice versa. Everything else below still applies.
  • If you see an error 415 - Unsupported Media Type client error, response code indicates that the server refuses to accept the request because the payload format is in an unsupported format. Ensure that under Header, Content-type is set to application/json.


8. Select Basic Auth from the Authorization tab and enter the credentials for the admin account.

9. Go to the Body tab, select raw from the radio buttons. Select JSON (application/json) from the dropdown menu.

10. Use the below JSON body to set the relevant parameter true:

json body for app version 4.2.x and newer...
{
  "enable-authentication-fallback": true
}
json body for app version 4.1.x and older...
{
  "allow-redirect-override": true
}


11. You should get a 200 or 304 status when pressing the Send button.

12. You will now be able to access http://confluence.com/login.action?auth_fallback to bypass SSO. It's important to remember to set the flag back to false once the maintenance has been completed in order to restore the intended behavior. To do this, issue the same PATCH request, but with false instead of true.

13. Once this is done, verify that allow-redirect-override  or enable-authentication-fallback is back to false by sending the same GET request to http(s)://<base-url>/rest/authconfig/1.0/sso described earlier. 

Method-2: Database

The SSO configuration can also be checked directly in the database as well through the following query:


SSO for Atlassian Data Center app version 4.2.x and newer...
select * from bandana where bandanakey like 'com.atlassian.plugins.authentication.sso.config.enable-authentication-fallback';

The returned value will/should be "false" for the bandanakey  com.atlassian.plugins.authentication.sso.config.enable-authentication-fallback

UPDATE BANDANA SET BANDANAVALUE='<string>true</string>' WHERE BANDANAKEY='com.atlassian.plugins.authentication.sso.config.enable-authentication-fallback';

You may run the above update query to change the value to true. However, we don't recommend changing these values directly on the DB. It's safer to use the REST API endpoint, but the select query above can be used to check the current settings if needed.

Please bear in mind, to make sure that the DB change is effective please Flush all caches or restart the Confluence Server.

SSO for Atlassian Data Center app version 4.1.x and older...
select * from bandana where bandanakey like 'com.atlassian.plugins.authentication.sso.config.allow-redirect-override';

The returned value will/should be "false" for the bandanakey  com.atlassian.plugins.authentication.sso.config.allow-redirect-override 

UPDATE BANDANA SET BANDANAVALUE='<string>true</string>' WHERE BANDANAKEY='com.atlassian.plugins.authentication.sso.config.allow-redirect-override';

You may run the above update query to change the value to true. However, we don't recommend changing these values directly on the DB. It's safer to use the REST API endpoint, but the select query above can be used to check the current settings if needed.

Please bear in mind, to make sure that the DB change is effective please Flush all caches or restart the Confluence Server.

Method-3: Recover Admin User Rights

If none of the above methods did help you you may consider starting Confluence in recovery mode to recover your admin user rights. Please refer to the Restore Passwords To Recover Admin User Rights.

For app version 3.2 or earlier

If you're running SSO for Atlassian Data Center app version 3.2 or earlier, the steps are different. 

See documentation for app version 3.2...

Solution to Enable the default login page using REST API

In order to make use of this functionalitythe allow-saml-redirect-override flag needs to be enabled via REST API. This can be done with other REST clients or via cURL, but the following is a user-friendly approach:

1. Download Postman for your browser (or use your own if you have an alternate REST client)

2. Open Postman

3. Select GET from the dropdown menu and select Basic Auth from the Authorization tab (enter the admin credentials)

4. Enter the following URL, modified for your environment: https://localhost:PORT/contextPath/rest/authconfig/1.0/saml (e.g. https://confluence.com/rest/authconfig/1.0/saml )

5. This should return something like the following after clicking SEND:

{
  "sso-url": "https://dev-486166.oktapreview.com/app/jeancodev486166_confdc_1/exk9awjfupbFE8VQp0h7/sso/saml",
  "sso-issuer": "http://www.okta.com/exk9awjfupbFE8VQp0h7",
  "certificate": "MIIDpDCCAoygAwIBAgIGAVl1EwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00ODYxNjYxHDAaBgkqhkiG9w0BCQEW\nDWluZm9Ab2t0YS5jb20wHhcNMTcwMTA2MjExMjExWhcNMjcwMTA2MjExMzExWjCBkjELMAkGA1UE\nBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV\nBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDg2MTY2MRwwGgYJ\nKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\nn5+MbxEb0rRA5kDBxVvzNRO3otJS7UMB3ldTEqivmieXvkXiSLjVYQJr7gbg+OYAX12V35HmrIs6\nRiT/d4trsePI09hRjQD2eMXsd11v1eKmoyAbsV026LZTHoVpXZQyeK383chJLEp2G6lRVdA/uFpP\nj5OCSiB5jVhEdRXymbfeESecMbh5YJu9H025sDBiqyzDHmZXunPdmJ0fyFpY9Q98bMfi7KUICHff\nlncSYQRDYax17wTO/2Nu4akWVESiBaedBlXAKuEOoB26ysxbQiUATOJTKodiGydyxLAlk2DV+Uzz\nDAeN8mQw7y4MArrSDqTWnTbtg3SJl6e0Ho/CGQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBNy/LR\nG85t3nuk4bnh2XRWtOXlSKtq6fVMAtJ4kd8vxB8M8DyFWDIaoXTd35COs1p2LX176hdBKjgau8Ux\nNUOJ3MIOw8qQAwFWguBHFWYhrcgDCVtCvz3wLIBRZehW/tX2ah+M8ATsn8oLPHaL2W11Z0JOiEcV\nIdAu6CyR1iDcVjCT7DV3h8aUWaLjfnfcJasEqiTEs2DH1d8E+GdW/lWaGiAdVlnxmxv5rvkwFxvZ\nDJyk2VPxZmFVdK16cUbPgnk5Bge7wnNaQZOUBmUZKAKmzeA+22lhKPpv8IGTIwEpcoUHggAdhvrT\nHfcvAs4OyFQgeaBA5//UjZVa/MfAFmqP",
  "user-attribute": null,
  "allow-saml-redirect-override": false,
  "include-customer-logins": false,
  "redirect-on-login": false,
  "enable-remember-me": false
}

We will need to set the allow-saml-redirect-override field to true

6. To do this, open a new tab in Postman

7. Select PUT from the dropdown and enter the URL http://localhost:PORT/contextPath/rest/authconfig/1.0/saml (e.g. https://confluence.com/rest/authconfig/1.0/saml )

8. Select Basic Auth from the Authorization tab and enter the credentials for the admin account

9. Go to the Body tab, select Raw from the radio button. Select JSON from the dropdown menu.

10. Use the results from the command as reference to set allow-saml-redirect-override set to true:

{
  "allow-saml-redirect-override": true
}

11. You should get a 200 or 304 status when pressing the Send button

12. You will now be able to access http://confluence.com/login.action?auth_fallback to bypass SAML. It's important to remember to set the flag back to false once the maintenance has been completed in order to restore the intended behavior.

13. You should be able to set SAML to primary authentication now from the Cogwheel → General configuration → SAML Authentication page.

Database

The SAML configuration can also be checked on the database side as well through the following query:

select * from bandana where bandanakey like '%samlconfig%';

However, we don't recommend changing them directly on the DB, it is safer to use the REST API endpoint for that end. The query above can be used to check the current settings if needed.



Last modified on Nov 21, 2023

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.