Page tree
Skip to end of metadata
Go to start of metadata

Overview 

Please find attached a class which can be used to integrate Confluence with Siteminder's SSO technology. I am hoping that by posting this, that someone can help do the same for JIRA (which so far I have failed miserably to do!)

The class integrates as a seraph authenticator, and its a bit clunky but it works. I am providing this as is, and if people want something quick so that they can get up and running, then this is for you. This class assumes the following:

  • Siteminder protects all resources for confluence, under the context root - for example, /confluence (the default)
  • The Siteminder agent on the server will need the following specific settings which are global for all policies on that agent
    • remove the "~" from the BadChar list
    • remove the ".css, .gif, .jpg" from the IgnoreExt (infact, you will probably leave the IgnoreExt=.fcc,.scc,.sfcc,.ccc,.ntc)
  • The class assumes the following Siteminder properties are set (via http headers)
    • cn - this will be used when creating the Full Name entity when a user is created the first time the access, for example John Doe
    • mail - this will be the mail address, for example, john.doe@person.com
    • uid - this is the user id, for example jdoe001

The class will assume you have logged into Siteminder prior to accessing Confluence. This is pretty much the standard way that Siteminder works, as it provides the standard login pages where users are automatically redirected to login and collect credentials and cookies.

Once a user has logged into Siteminder, when they access Confluence, the custom authenticator will extract their Siteminder credentials and then ( i ) try and log the user in, and if that fails, (ii) create a new user using the Siteminder credentials.

Limitations of the class

Each user created in Confluence is created with the same password as defined in the class. This could be randomised a little I guess (we did not do anything as a user will never be able to access Confluence using the standard access mechanisms)

The class could have better error detection/avoidance. At the moment, if the Siteminder headers are not set properly, it can lead to spurious errors in creating new users 

Limitations of the integration 

You will need to remove/change the logout references to logout of Siteminder. We actualy do not do this, as its not really required as its our enterprise SSO and so its unlikely you need to logout of Confluence.

You will need to remove the change password tabs - these are not used (NOTE! Do not do this via the External User Management or you will not be able to use groups!!)

It only works from Confluence 2.1 or later (I have tried in 2.1.x and 2.2.x )

Installation and Configuration

1. Copy the class to WEB-INF/classes/com/siteminder/confluence

2. Edit the seraph-config.xml in WEB-INF/classes and modify the authenticator from the initial

to 

 3. Restart the application.

Trusted Application Protocol

To use Trusted Application Protocol between Confluence and JIRA, an exception for the /admin/appTrustCertificate URL must be created in SiteMinder's configuration.

Otherwise, when configuring Trusted Application support SiteMinder's SSO login form is returned to JIRA rather than the certificate from Confluence, resulting in an error "java.lang.RuntimeException: java.security.spec.InvalidKeySpecException: java.io.EOFException" in the web browser.

(red star)   TIPS

 If this is a new installation, you must make sure that the siteminder user that you are logging in as is different you define as the admin user, otherwise, when you login for the first time, you will have no admin access.

18 Comments

  1. For mixed case usernames, the line below needs to be changed:

    if(username != null && user.getName().compareTo(username) == 0)

    to:

    if(username != null && user.getName().toUpperCase().compareTo(username.toUpperCase()) == 0)

    We tried SSO with different userids and it worked without any problem.

    1. Thanks, I have uploaded a new class compiled against 2.8.2 with this patch. Hopefully it will work for 2.8.2 users - I cannot test as we dont have this version up and running yet.

      1. This class does not seem to work with Confluence 2.10.1, users are not logged into Confluence, even when authenticated by SiteMinder...

      2. How did you compile it where are are the classes located in 3.0.0.1 i want to tweak the code and compile it please help!!

        Many thanks,

    2. How did you compile it where are are the classes located in 3.0.0.1 i want to tweak the code and compile it please help!!

      Many thanks,

  2. Kevin, sorry have not had a chance to get 2.10.1 up and running so cannot confirm it works. I'll try and do some testing this week...

    1. Hi Ricardo,

      Thanks for your answer and your help;

      I compiled the class on my side with more debug and will test it asap.

      1. Was a problem on the SiteMinder side. Thanks !

      2. How did you compile it where are are the classes located in 3.0.0.1 i want to tweak the code and compile it please help!!

        Many thanks,

    2. We are using 3.0.0.1 and i want to know how did you compile this java code. What are the paths to the files mentioned with the import statement. I want to tweak the code and compile it. Please let me know if you can guide me in some direction and once compiled i will post my findings with 3.0.0.1

      Thanks in Advance,

      Any help much appreciated!!!

  3. I am trying to get this class to work with Confluence3.0.1 using Java 1.6.0_14 we seem to authenticate but are experiencing issues while going to different pages sometimes getting System Error stating problems with decorator. While other times we are getting the Confluence login page. This seems to be happening randomly. Has anyone worked out the kinks and using Confluence 3.0.1? Thanks

    1. James, it works on 3.0.0 as I have it running now here in the office, although admitidly only on 1.5 JDK.

      What specific issues are you seeing, I will see if I can replicate. If you can tell me what pages or links are generating the problem, I could probably sort out.

      1. Currently using JDK 1.5 now.
        Still having issues such as:

        • Clicking Update status will say 'Username was blank' before you click update button. Then click on update it will say you are not logged in.
        • Sometimes the confluence login page shows up while trying to click on a certain page.
        • Unable to change a users group while administrator get a message saying "You do not have permission to access /admin/users/editusergroups-start.action?username=confadmin. to access this page, please log in as a user with sufficient permissions."
        • I keep getting a decorator System Error page (confluence error) on certain pages. "Cause java.lang.RuntimeException: Error rendering template for decator root at com.atlassian.confluence.setup.velocity.ApplyDecoratorDirective.render(ApplyDecoratorDirective.java:210)

        I thought this might be my setup with the proxy and everything but when I use the ConfluenceAuthenticator I recieve no errors. Any help would be appreciated thanks.

      2. We are using 3.0.0.1 and i want to know how did you compile this java code. What are the paths to the files mentioned with the import statement. I want to tweak the code and compile it. Please let me know if you can guide me in some direction and once compiled i will post my findings with 3.0.0.1

        Thanks in Advance,

        Any help much appreciated!!!

  4. We are using 3.0.0.1 and i want to know how did you compile this java code. What are the paths to the files mentioned with the import statement. I want to tweak the code and compile it. Please let me know if you can guide me in some direction and once compiled i will post my findings with 3.0.0.1

    Thanks in Advance,

    Any help much appreciated!!!

    1. Hi Shan,

      We haven't got the chance to try Confluence 3.x, though we have tried to compile the java source using the below build.xml file, against Confluence 2.10.x:

      Your 'lib' sub-directory should contain the below set of jar:

      • atlassian-bucket-1.3.jar
      • atlassian-seraph-0.38.3.jar
      • atlassian-spring-0.8.jar
      • atlassian-user-2.0.2.jar
      • confluence-2.10.3.jar
      • log4j-1.2.15.jar
      • servlet-api.jar

      Please see if this helps you to get through the compilation steps.

      good references on how to use ANT to get the compilation working are listed below:

  5. The part of the code where the call is made to login, introduces several security issues. I chose to address those in a different way.
    The apparent goal is to merge the identity information provided by SiteMinder with the authorization information within Confluence.

    Through a little trial and error and interface inspection, I found the following code approach to work:

    UserAccessor userAccessor = (UserAccessor)ContainerManager.getComponent("userAccessor");

    User user = userAccessor.getUser(nameFromSiteMinder.toLowerCase());

    If the resulting user was null, create a user using a randomly generated password string.
    This slight change in approach eliminates the un-necessary re-authentication, which was bogus anyway due to the fixed password. Now all of the users can have random unguessable passwords, which prevents back door access and identity masquerading, at least based on those credentials.

    Unfortunately the UserAccessor interface is defined within the Confluence code base, rather than Seraph. As a result there is a compile time dependency (already present in the code above) on the appropriate confluence jar file. This seems to indicate that Seraph is lacking an extension point/interface that would handle this need. A different plug-in is probably needed for Jira, even though they are both based on Seraph.

    If there is a Seraph only way to do this, that would be best.

    1. I agree with your comments regarding the security limitations of the code provided - these were only ever intended to be a "quick a easy" way of doing this.

      That said, in our environment (and I accept this is not the case for everyone) users can never bypass the front door (Siteminder) so the user is never in a situation where they can login using the generic username/password. This is how and why this approach worked for us, but I accept it is not the idea way of doing it.

      Can you post your own code so that people can have an alternative solution to use?