Native SSO for Atlassian Server and Data Center fails to enable due to Okta integration

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

The SSO for Atlassian Server and Data Center plugin fails to enable in Confluence Data Center due to an unsatisfied dependency error when using the Okta Authenticator integration.

Diagnosis

The following error can be found in the atlassian-confluence.log during Confluence startup or an attempt to enable the plugin:

When okta-confluence-3.1.2.jar is installed

1 2 3 2022-04-27 11:21:55,189 ERROR [ThreadPoolAsyncTaskExecutor::Thread 34] [plugin.osgi.factory.OsgiPlugin] onPluginContainerFailed Unable to start the plugin container for plugin 'com.atlassian.plugins.authentication.atlassian-authentication-plugin' -- referer: http://localhost:27122/c7122/plugins/servlet/upm | url: /c7122/rest/plugins/1.0/com.atlassian.plugins.authentication.atlassian-authentication-plugin-key | traceId: 3fecf565e5d90267 | userName: banana@banana.banana org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'ssoConfigServiceImpl': Unsatisfied dependency expressed through constructor parameter 3; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'auditingIdpConfigService': Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.atlassian.plugins.authentication.impl.config.AuditingIdpConfigService]: No default constructor found; nested exception is java.lang.NoSuchMethodException: com.atlassian.plugins.authentication.impl.config.AuditingIdpConfigService.<init>()

⚠️ The SSO for Atlassian Server and Data Center plugin failed to be enabled:

When okta-confluence-3.1.5.jar is installed

1 2 3 4 5 6 7 8 9 10 2022-04-26 11:55:36,547 ERROR [lifecycle:thread-25] [sal.confluence.lifecycle.TenantAwareLifecycleManager] triggerLifecycleAsTenant Unable to start component: com.atlassian.plugins.authentication.impl.web.oidc.OidcDiscoveryRefreshJob -- url: /c7122/rest/plugins/1.0/ | referer: https://localhost:8443/c7122/plugins/servlet/upm | traceId: 76655d56d054cc59 | userName: banana@banana.banana java.lang.RuntimeException: java.lang.IllegalStateException: plugin [{com.atlassian.plugins.authentication.atlassian-authentication-plugin}] invoking ActiveObjects before <ao> configuration module is enabled or plugin is missing an <ao> configuration module. Note that scanning of entities from the ao.model package is no longer supported. at com.atlassian.plugins.authentication.impl.web.oidc.OidcDiscoveryRefreshJob.onStart(OidcDiscoveryRefreshJob.java:87) at com.atlassian.sal.confluence.lifecycle.TenantAwareLifecycleManager$PerTenantLifecycleExecution.lambda$triggerLifecycleAsTenant$1(TenantAwareLifecycleManager.java:186) ... Caused by: java.lang.IllegalStateException: plugin [{com.atlassian.plugins.authentication.atlassian-authentication-plugin}] invoking ActiveObjects before <ao> configuration module is enabled or plugin is missing an <ao> configuration module. Note that scanning of entities from the ao.model package is no longer supported. at com.atlassian.activeobjects.osgi.TenantAwareActiveObjects.delegate(TenantAwareActiveObjects.java:166) at com.atlassian.activeobjects.osgi.TenantAwareActiveObjects.executeInTransaction(TenantAwareActiveObjects.java:342) at jdk.internal.reflect.GeneratedMe

ℹ️ While the SSO for Atlassian Server and Data Center can be enabled, we're still seeing error message being thrown

Cause

The Okta Authenticator integration injects a okta-confluence-x.x.x.jar into Confluence that interferes with the native SSO Authentication plugin.

This is similar to Confluence Cloud Migration Assistant fails to enable due to Okta integration where the same JAR from Okta causes an issue with Confluence bundled plugin

Solution

Revert the implementation of Okta Authenticator integration and restart Confluence.

Updated on April 2, 2025
Platform
Data Center only
Product
Confluence Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community