How to Enable / Disable Confluence Secure Administration session ( Websudo ) From Database
Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.
Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Secure administrator sessions allow you to require administrators to re-enter their password before they can access administrative functions. This feature is sometimes known as "websudo" and is turned on by default. It provides a secure session for administrators to connect to the Confluence administration page.
When an administrator attempts to access an admin function from Confluence Administration Page, they will be prompted to re-enter their password. This starts the secure administrator session.
Administrators can click "Drop access" in the banner to manually end the session. This won't log them out of Confluence; it will just end the secure administrator session.
Some customers use different authentication methods like SSO or SAML. With these methods, the secure session feature doesn't work. In such cases, we may need to disable the Secure Administrator Sessions from the Confluence administration page.
- Go to
> General Configuration > Security Configuration. - Select Edit.
- Under Secure administrator sessions, deselect the Enable checkbox.
- Save your changes.
But somehow, if Secure Administrator Sessions are enabled and SSO or SAML is the authentication method for users, then Admins will not be able to connect to the Confluence administration page. This will be a problem for admins, and they will not be able to access the admin page until Secure Administrator Sessions are disabled again.
However, without Confluence administration page access, this is not possible. In this situation, we can update the system setting from the database to disable the Admin secure session.
Known issues with single sign-on and just-in-time user provisioning
You may need to disable secure administrator sessions if your users are not stored in Confluence's internal user directory. See CONFSERVER-60263 - Ability to have the Websudo functionality working with SAML / SSO
Solution
To update the Admin secure session (WebSudo), we can follow the below steps:
- Stop the Confluence.
- Take DB backup as a best pratcie before applying any changes to the Database.
- Run the following SQL to get the Confluence System Settings:
select BANDANAVALUE from BANDANA where BANDANAKEY = 'atlassian.confluence.settings'; - Copy the BANDANAVALUE in any Text File and search the <webSudoEnabled> property.
- Update this property to false for diabling the Admin secure session, something like this "<webSudoEnabled>false</webSudoEnabled>". Update true for enabling the admin secure session, something like this "<webSudoEnabled>true</webSudoEnabled>
- Save this and run the following update statement with complete setting properties which was received in BANDANAVALUE along with webSudoEnabled as Fasle or true . For example, something like the below from my local system, where I am disabling the Secure admin session.
update BANDANA
set BANDANAVALUE='<settings>
<doNotSave>false</doNotSave>
<allowCamelCase>false</allowCamelCase>
<allowTrackbacks>false</allowTrackbacks>
<allowThreadedComments>true</allowThreadedComments>
<externalUserManagement>false</externalUserManagement>
<denyPublicSignup>true</denyPublicSignup>
<emailAdminMessageOff>false</emailAdminMessageOff>
<almostSupportPeriodEndMessageOff>false</almostSupportPeriodEndMessageOff>
<senMissingInLicenseMessageOff>true</senMissingInLicenseMessageOff>
<baseUrlAdminMessageOff>false</baseUrlAdminMessageOff>
<allowRemoteApi>false</allowRemoteApi>
<allowRemoteApiAnonymous>false</allowRemoteApiAnonymous>
<antiXssMode>true</antiXssMode>
<gzippingResponse>false</gzippingResponse>
<disableLogo>false</disableLogo>
<sharedMode>false</sharedMode>
<enableDidYouMean>false</enableDidYouMean>
<enableQuickNav>true</enableQuickNav>
<enableSpaceStyles>false</enableSpaceStyles>
<enableOpenSearch>true</enableOpenSearch>
<showSystemInfoIn500Page>false</showSystemInfoIn500Page>
<showApplicationTitle>false</showApplicationTitle>
<captchaSettings>
<enableCaptcha>false</enableCaptcha>
<enableDebug>false</enableDebug>
<captchaGroups class="list"/>
<exclude>registered</exclude>
</captchaSettings>
<customHtmlSettings>
<beforeHeadEnd></beforeHeadEnd>
<afterBodyStart></afterBodyStart>
<beforeBodyEnd></beforeBodyEnd>
</customHtmlSettings>
<colourSchemesSettings>
<colourSchemeType>custom</colourSchemeType>
</colourSchemesSettings>
<loginManagerSettings>
<enableElevatedSecurityCheck>true</enableElevatedSecurityCheck>
<loginAttemptsThreshold>3</loginAttemptsThreshold>
</loginManagerSettings>
<confluenceHttpParameters>
<connectionTimeout>10000</connectionTimeout>
<socketTimeout>10000</socketTimeout>
<enabled>true</enabled>
</confluenceHttpParameters>
<attachmentMaxSize>104857600</attachmentMaxSize>
<auditLogRetentionNumber>3</auditLogRetentionNumber>
<auditLogRetentionUnit>Years</auditLogRetentionUnit>
<draftSaveInterval>30000</draftSaveInterval>
<maxAttachmentsInUI>5</maxAttachmentsInUI>
<siteTitle>Confluence</siteTitle>
<documentationUrlPattern>http://docs.atlassian.com/confluence/docs-{0}/{1}</documentationUrlPattern>
<customContactMessage>Please enter information about your request for the site administrators. If you are reporting an error please be sure you include information on what you were doing and the time the problem occurred.</customContactMessage>
<showContactAdministratorsForm>true</showContactAdministratorsForm>
<emailAddressVisibility>email.address.public</emailAddressVisibility>
<defaultEncoding>UTF-8</defaultEncoding>
<maxThumbHeight>300</maxThumbHeight>
<maxThumbWidth>300</maxThumbWidth>
<backupAttachmentsDaily>true</backupAttachmentsDaily>
<backupDaily>true</backupDaily>
<backupPath>/Users/hgupta/confluence-home/atlassian-confluence-7.19.10-postgres/backups</backupPath>
<nofollowExternalLinks>true</nofollowExternalLinks>
<indexingLanguage>english</indexingLanguage>
<globalDefaultLocale>en_GB</globalDefaultLocale>
<dailyBackupFilePrefix>backup-</dailyBackupFilePrefix>
<dailyBackupDateFormatPattern>yyyy_MM_dd</dailyBackupDateFormatPattern>
<supportRequestEmail>confluence-autosupportrequests@atlassian.com</supportRequestEmail>
<defaultSpaceHomepageTitle>Home</defaultSpaceHomepageTitle>
<baseUrl>http://localhost:21910</baseUrl>
<attachmentDataStore>file.system.based.attachments.storage</attachmentDataStore>
<displayLinkIcons>false</displayLinkIcons>
<addWildcardsToUserAndGroupSearches>true</addWildcardsToUserAndGroupSearches>
<xsrfAddComments>true</xsrfAddComments>
<webSudoTimeout>10</webSudoTimeout>
<webSudoEnabled>false</webSudoEnabled>
<defaultUsersGroup>confluence-users</defaultUsersGroup>
<attachmentSecurityLevel>smart</attachmentSecurityLevel>
<enableJavascriptTop>true</enableJavascriptTop>
<supportPeriodEndMessageOff>false</supportPeriodEndMessageOff>
<enableWysiwyg>true</enableWysiwyg>
<useWysiwygByDefault>true</useWysiwygByDefault>
<numberOfBreadcrumbAncestors>1</numberOfBreadcrumbAncestors>
<viewSpaceGoesToSpaceSummary>false</viewSpaceGoesToSpaceSummary>
<enableLikes>false</enableLikes>
<currentIndexVersion>0</currentIndexVersion>
<maintenanceBannerMessageOn>false</maintenanceBannerMessageOn>
<maxSimultaneousQuickNavRequests>40</maxSimultaneousQuickNavRequests>
<maxRssItems>200</maxRssItems>
<rssTimeout>60</rssTimeout>
<pageTimeout>120</pageTimeout>
</settings>'
where BANDANAKEY='atlassian.confluence.settings';The above Settings properties are from the local system, this can be different for different environments. So please use the same as what is in your environment. In that just update the webSudoEnabled as False for Disable and True for Enable.
7. Restart Confluence and check the websudo admin secure login. Admin users will no longer encounter the Password page when enabling the Secure admin session. This process will now be handled by alternative authentication methods such as SSO / SAML.