We are switching off article comments on this website. Read about the upcoming changes to Atlassian Documentation.
Please find attached a class which can be used to integrate Confluence with Siteminder's SSO technology. I am hoping that by posting this, that someone can help do the same for JIRA (which so far I have failed miserably to do!)
The class integrates as a seraph authenticator, and its a bit clunky but it works. I am providing this as is, and if people want something quick so that they can get up and running, then this is for you. This class assumes the following:
The class will assume you have logged into Siteminder prior to accessing Confluence. This is pretty much the standard way that Siteminder works, as it provides the standard login pages where users are automatically redirected to login and collect credentials and cookies.
Once a user has logged into Siteminder, when they access Confluence, the custom authenticator will extract their Siteminder credentials and then ( i ) try and log the user in, and if that fails, (ii) create a new user using the Siteminder credentials.
Each user created in Confluence is created with the same password as defined in the class. This could be randomised a little I guess (we did not do anything as a user will never be able to access Confluence using the standard access mechanisms)
The class could have better error detection/avoidance. At the moment, if the Siteminder headers are not set properly, it can lead to spurious errors in creating new users
You will need to remove/change the logout references to logout of Siteminder. We actualy do not do this, as its not really required as its our enterprise SSO and so its unlikely you need to logout of Confluence.
You will need to remove the change password tabs - these are not used (NOTE! Do not do this via the External User Management or you will not be able to use groups!!)
It only works from Confluence 2.1 or later (I have tried in 2.1.x and 2.2.x )
1. Copy the class to WEB-INF/classes/com/siteminder/confluence
2. Edit the seraph-config.xml in WEB-INF/classes and modify the authenticator from the initial
3. Restart the application.
To use Trusted Application Protocol between Confluence and JIRA, an exception for the /admin/appTrustCertificate URL must be created in SiteMinder's configuration.
Otherwise, when configuring Trusted Application support SiteMinder's SSO login form is returned to JIRA rather than the certificate from Confluence, resulting in an error "java.lang.RuntimeException: java.security.spec.InvalidKeySpecException: java.io.EOFException" in the web browser.
If this is a new installation, you must make sure that the siteminder user that you are logging in as is different you define as the admin user, otherwise, when you login for the first time, you will have no admin access.