How to connect Confluence Data Center with Azure SAML SSO

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Data Center Only - This article only applies to Atlassian products on the data center platform.

Summary

In order to use SSO for Atlassian Server and Data Center to authenticate against Microsoft's Azure AD, we need to create an Enterprise Application in the Azure management console. In this article, we'll use the pre-set Confluence SAML SSO by Microsoft from the Azure library.

Environment

  • Confluence 6.1+
  • Azure Active Directory

Solution

  1. Access your Azure Active Directory and select Enterprise applications
  2. Select New application and find "Confluence SAML SSO by Microsoft" from the gallery
  3. Create a name to your application and click Add. You should see your new application like this:
  4. Now we'll get some information from Confluence. Login your Confluence Data Center using an Admin account and head to General Configuration > SSO 2.0.
  5. Scroll down until you see the following lines. Copy and save them to use in the Azure portal:
  6. Back in Azure, open your Enterprise Application, select 2. Set up single sign on, then choose SAML.

  7. Click to edit the Basic SAML Configuration fields and use the information copied from Confluence.

    Azure

    Confluence

    Identifier (Entity ID)

    Audience URL (Entity ID)

    Reply URL (Assertion Consumer Service URL)

    Assertion Consumer Service URL

    Sign on URLAudience URL (Entity ID)



  8. Still in the Azure SAML settings, download the Certificate (Base64 encoding) and copy the Login URL and Azure AD Identifier
  9. Go back to the Confluence SSO 2.0 screen and use the information copied from Azure. Click Save configuration when finished.

    AzureConfluence
    Login URLIdentity provider single sign-on URL
    Azure AD IdentifierSingle sign-on issuer
    Certificate (Base64)X.509 Certificate


  10. Confluence 7.7+ only: In Confluence 7.7, JIT User Provisioning was introduced. As part of this change, you now have to define a username mapping. It requires an expression following the pattern ${attributeName}, and that claim/attribute will be used to match the username during the SSO login.



  11. Confluence 7.7+ only: Also introduced by the JIT Provisioning, you can chose to create a user in Confluence when the username mapping doesn't match an existing user. You'll have to check the option Create users on login to the application, and then define claim/attribute mappings from Azure AD that will contain the user's Display Name, Email and Groups (the Groups attribute doesn't support mapping expressions).



  12. To test the authentication, you can use a link like this (it will redirect you to the Azure login screen and then back to Confluence if the authentication is successful):
  • https://<base-url>/plugins/servlet/external-login


Last modified on Aug 31, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.