SAML Authentication Login button doesn't appear on the Confluence Login page

Still need help?

The Atlassian Community is here for you.

Ask the community


Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.

Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary


The SAML Authentication Login button doesn't appear as expected on the Confluence Login page when using multiple Idp as described in our documentation Using Multiple Identity Providers.

This can occur when you are using multiple login methods.  For example when using both your Idp (identity provider) and Basic Authentication login methods simultaneously. It is possible to configure a custom login button that will redirect an unauthenticated user to the Idp login form, and this custom button will be displayed on the login page.

When only one SAML login method is configured, users will be automatically redirected to that method for authentication.

If you enable more than one authentication method, the expected behavior would be that your users will see a login page with the available options.

In this case, with basic and SAML configured and its authentication login enabled, the Login button doesn't appear on the Confluence Login page, even with "Show on Login page" checked.  No errors appear in the UI.  

(info) Note from the multiple IdP providers page, that the following is advised but not required: "Once you've added a single sign-on configuration method to your environment, we advise you to disable the basic authentication option, which is less secure. See Disabling basic authentication."


Image 1: Screenshot showing both Login option types enabled - Basic and SAML.




Background information: 

When Primary/Basic Authentication is enabled, the SAML SSO Authentication plugin will perform a series of precondition checks to determine whether to send the request to the Identity Provider or to present the user with the standard Confluence username/password login form. The checks are formed in this order:

  1. Check if allowSamlRedirectOverride is enabled and if auth_fallback is present in the request parameters. Present the login form if true.
  2. Check if the SAML SSO is configured at all. Present the login form if false.
  3. Check if instance is running on a Data Center license. Present the login form if false.
  4. Check if that the Assertion Consumer Service URL is configured with https. Present the login form if false.
  5.  Check if Confluence is in password recovery mode (i.e. the JVM parameter atlassian.recovery.password has been set). Present the login form if true.

Environment

Tested with Confluence 7.19.x.

Diagnosis

  1. You are using two or more login authentication types, including Basic Authentication.

       2. You have the following in the logs after the most recent startup.

[confluence.admin.actions.SystemInfoOnStartup] startup
Datlassian.recovery.password=

Cause

Recovery mode is still enabled.  As stated in Restore Passwords to Recover Admin User Rights (mentioned in "Good to know" at the bottom), it must be disabled for SAML authentication to work properly.

Note: If you're facing issues with redirection to SAML, please see the following article: Confluence Not Automatically Redirecting to IdP When Primary Authentication is Enabled in SAML SSO.  This can be one of the causes as well.

Solution

Disable Recovery mode per the instructions found in Restore Passwords To Recover Admin User Rights.



Last modified on Jun 11, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.