Purpose

Integrating Confluence for Single-Sign-On(SSO).

Attached a class which can be used to integrate Confluence with Siteminder's SSO technology.

SiteMinderAuthenticator.class.282

Solution

This solution is posted courtesy of Ricardo Sueiras:

 The class integrates as a seraph authenticator, and its a bit clunky but it works. I am providing this as is, and if people want something quick so that they can get up and running, then this is for you. This class assumes the following:

• Siteminder protects all resources for confluence, under the context root - for example, /confluence (the default)
• The Siteminder agent on the server will need the following specific settings which are global for all policies on that agent
  • remove the "~" from the BadChar list
  • remove the ".css, .gif, .jpg" from the IgnoreExt (infact, you will probably leave the IgnoreExt=.fcc,.scc,.sfcc,.ccc,.ntc)
• The class assumes the following Siteminder properties are set (via http headers)
  • cn - this will be used when creating the Full Name entity when a user is created the first time the access, for example John Doe
  • mail - this will be the mail address, for example, john.doe@person.com
  • uid - this is the user id, for example jdoe001

The class will assume you have logged into Siteminder prior to accessing Confluence. This is pretty much the standard way that Siteminder works, as it provides the standard login pages where users are automatically redirected to login and collect credentials and cookies.

Once a user has logged into Siteminder, when they access Confluence, the custom authenticator will extract their Siteminder credentials and then ( i ) try and log the user in, and if that fails, (ii) create a new user using the Siteminder credentials.

if (login(request, response, username, password, false) == true)

UserAccessor userAccessor = (UserAccessor) bucket.container
                        .ContainerManager.getInstance().getContainerContext().getComponent("userAccessor");
                    String[] defaultGroup={"confluence-users"};
                    User newUser = userAccessor.addUser(username, password, email, fullname, defaultGroup);

Limitations of the class

Each user created in Confluence is created with the same password as defined in the class. This could be randomised a little I guess (we did not do anything as a user will never be able to access Confluence using the standard access mechanisms)

The class could have better error detection/avoidance. At the moment, if the Siteminder headers are not set properly, it can lead to spurious errors in creating new users 

Limitations of the integration 

You will need to remove/change the logout references to logout of Siteminder. We actualy do not do this, as its not really required as its our enterprise SSO and so its unlikely you need to logout of Confluence.

You will need to remove the change password tabs - these are not used (NOTE! Do not do this via the External User Management or you will not be able to use groups!!)

It only works from Confluence 2.1 or later (I have tried in 2.1.x and 2.2.x )

Installation and Configuration

1. Copy the class to WEB-INF/classes/com/siteminder/confluence

2. Edit the seraph-config.xml in WEB-INF/classes and modify the authenticator from the initial

<authenticator class="com.atlassian.confluence.user.ConfluenceAuthenticator"/>

to 

<authenticator class="com.siteminder.confluence.SiteMinderAuthenticator"/>

 3. Restart the application.

Trusted Application Protocol

To use Trusted Application Protocol between Confluence and JIRA, an exception for the /admin/appTrustCertificate URL must be created in SiteMinder's configuration.

Otherwise, when configuring Trusted Application support SiteMinder's SSO login form is returned to JIRA rather than the certificate from Confluence, resulting in an error "java.lang.RuntimeException: java.security.spec.InvalidKeySpecException: java.io.EOFException" in the web browser.

TIPS

 If this is a new installation, you must make sure that the siteminder user that you are logging in as is different you define as the admin user, otherwise, when you login for the first time, you will have no admin access.