[Episode 4] Guest access on Confluence Data Center, SSO for unlicensed users!

Hello Atlassian Community,

A lot of teams ask a simple question: “How do we let people outside our organization see a Confluence space for a short time, without buying new licences, and still keep SSO?” This is that pattern, written plainly, with what Atlassian already offers and what we layered on top.

First, what does Atlassian give you?

On Confluence Cloud, inviting outsiders is straightforward: Atlassian’s guests are free, and you can invite up to five guests per paid user, scoped to a single space. For quick collaboration, that’s perfect. [Invite guests to Confluence | Confluence Cloud | Atlassian Support]

On Confluence Data Center, there’s no native “guest” role. Anyone with the global 'Use Confluence' permission is considered a licensed user. Your only non-licensed option is anonymous access, which is truly public unless you put another gate in front of it.

The Use case (you’ve probably seen it)

A customer needed to bring ~100 external reviewers into one space for a week. InfoSec required SSO via the corporate IDP. Procurement didn’t want to add a hundred named users for seven days. Public links were off the table.

The pattern that solved it 

We set up a guest-like lane with SSO in front:

• IdP first: Reviewers hit the Confluence link and are sent to the company’s IdP; they clear SSO and conditional access there.
• Tightly scoped entry: Only the review space allows access for these visitors; the rest of the site stays private. Confluence’s public/anonymous controls are still the guardrails, just switched on only for this space and window. 
• Short window, clean exit: When the review ends, the lane closes at the IdP and in Confluence; nothing to clean up.

This gives you guest-like, view-only access on DC with SSO, and stays honest with Atlassian’s model (no hidden users). If you need comments or edits, plan for named, licensed accounts; that’s how DC is designed.

Why does this complement Atlassian’s model?

Cloud guests are still the simplest answer when you’re on Cloud. In the Data Center, this SSO-gated lane is a practical way to get guest-like, time-boxed viewing without changing how licensing works.

We packaged this as a small Guest Login feature in our OAuth/OIDC SSO setup for Confluence DC. If a quick configuration checklist would help, I’m happy to share it in the comments (no sales pitch).

If you’ve tackled DC external reviews differently, reverse proxy, link signing, space-level patterns- I’d love to learn from your approach. What’s worked (or backfired) for you?