Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

SSO not working after upgrade

Dovid Bender
Dovid Bender
Contributor
April 24, 2019

Hi,

We recently upgraded our confluence install from 5.7 to 6.6.13 and SSO does not seem to be working. I made sure to update:

1)
seraph-config.xml (as it was before. I also did a diff from my changes to the last file and the only thing I see is:
< <param-value>/login.action?os_destination=${originalurl}&amp;permissionViolation=true</param-value>
---
> <param-value>/login.action?os_destination=${originalurl}</param-value>
which I think is unrelated.

2) crowd.properties (as it was before).

I know that there is communication between confluence and crowd as I added a new user to crowd called me_test. I then was able to login directly to confluence. My only issue seems to be that SSO is not working between Confluence and everything else. Meaning if I log out of everything then login in say to jira, I can get access stash without logging in again and vice versa. However even if I am already logged into jira if I go to the confluence URL I still must login again. Is there any other setting that I am missing?

What's interesting is if if I log out of confluence it will also log me out of jira, stash etc.

EDIT: For all my applications I am using the AJP proxy with the exception of confluence which uses the mod_proxy.

Answer
Watch
Like Be the first to like this
1902 views

1 answer

0 votes
Edwin Kyalangalilwa
Edwin Kyalangalilwa
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 24, 2019

Hi @Dovid Bender ,

Based on Integrating Crowd with Atlassian Confluence

In seraph-config.xml - you'll comment out

<!-- <authenticator class="com.atlassian.confluence.user.ConfluenceAuthenticator"/> -->

and uncomment

<authenticator class="com.atlassian.confluence.user.ConfluenceCrowdSSOAuthenticator"/>
View More Comments
Dovid Bender
Dovid Bender
Contributor
April 24, 2019

@Edwin Kyalangalilwa of course I tri that and it didn't work. My current config is:

 

<security-config>
<parameters>
<init-param>
<param-name>login.url</param-name>
<param-value>/login.action?os_destination=${originalurl}&amp;permissionViolation=true</param-value>
</init-param>
<init-param>
<param-name>link.login.url</param-name>
<param-value>/login.action</param-value>
</init-param>
<init-param>
<param-name>cookie.encoding</param-name>
<param-value>cNf</param-value>
</init-param>
<init-param>
<param-name>login.cookie.key</param-name>
<param-value>seraph.confluence</param-value>
</init-param>

<!--only basic authentication available-->
<init-param>
<param-name>authentication.type</param-name>
<param-value>os_authType</param-value>
</init-param>

<!-- Invalidate session on login to prevent session fixation attack -->
<init-param>
<param-name>invalidate.session.on.login</param-name>
<param-value>true</param-value>
</init-param>
<!-- Add names for session attributes that must not be copied to a new session when the old one gets invalidated.
Currently it is empty (i.e. all attributes will be copied). -->
<init-param>
<param-name>invalidate.session.exclude.list</param-name>
<param-value></param-value>
</init-param>
</parameters>

<rolemapper class="com.atlassian.confluence.security.ConfluenceRoleMapper"/>
<controller class="com.atlassian.confluence.setup.seraph.ConfluenceSecurityController"/>

<!-- Default Confluence authenticator, which uses the configured user management for authentication. -->
<!-- <authenticator class="com.atlassian.confluence.user.ConfluenceAuthenticator"/> -->

<!-- Custom authenticators appear below. To enable one of them, comment out the default authenticator above and uncomment the one below. -->

<!-- Authenticator with support for Crowd single-sign on (SSO). -->
<!-- Next line was enabled and line 43 was disabled by dovid bender on 2019-04-24 at 0600 so that SSO would work with the new setup -->
<authenticator class="com.atlassian.confluence.user.ConfluenceCrowdSSOAuthenticator"/>

<!-- Specialised version of the default authenticator which adds authenticated users to confluence-users if they aren't already a member. -->
<!-- <authenticator class="com.atlassian.confluence.user.ConfluenceGroupJoiningAuthenticator"/> -->

<services>
<service class="com.atlassian.seraph.service.PathService">
<init-param>
<param-name>config.file</param-name>
<param-value>seraph-paths.xml</param-value>
</init-param>
</service>
</services>

<elevatedsecurityguard class="com.atlassian.confluence.security.seraph.ConfluenceElevatedSecurityGuard"/>

</security-config>

Like
Edwin Kyalangalilwa
Edwin Kyalangalilwa
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 24, 2019

@Dovid Bender was Confluence restarted after this change?

Like
dovi5988
dovi5988
Contributor
April 24, 2019

Yes . I restarted it a few times . The only thing I wonder is if the other apps are using ajp connectors and confluence is using mod proxy.

Like
Dovid Bender
Dovid Bender
Contributor
April 25, 2019

So I did some more testing. If I go to any of the other applications such as Jira, login and then go to http://hostname.domain.org:8090 then SSO it works. It seems my issue is either in my apache config configuration OR my confluence settings for mod_proxy. Below are both. What am I doing wrong?

 

server.xml:

<Server port="8000" shutdown="SHUTDOWN" debug="0">
<Service name="Tomcat-Standalone">
<!--
<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
maxThreads="48" minSpareThreads="10"
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol" />
-->
<Engine name="Standalone" defaultHost="localhost" debug="0">

<Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false" startStopThreads="4">
<Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
<!-- Logger is deprecated in Tomcat 5.5. Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
<Manager pathname="" />
<Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60" />
</Context>

<Context path="${confluence.context.path}/synchrony-proxy" docBase="../synchrony-proxy" debug="0" reloadable="false" useHttpOnly="true">
<Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60" />
</Context>
</Host>

</Engine>

<!--
To run Confluence via HTTPS:
* Uncomment the Connector below
* Execute:
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows)
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix)
with a password value of "changeit" for both the certificate and the keystore itself.
* Restart and visit https://localhost:8443/

For more info, see https://confluence.atlassian.com/display/DOC/Running+Confluence+Over+SSL+or+HTTPS
-->
<!--
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
protocol="org.apache.coyote.http11.Http11NioProtocol"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true"
URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>"/>
-->

<!-- Below lines were added by dovid bender on 2019-04-23 so that mod_proxy would work -->
<Connector port="8090"
maxThreads="48"
minSpareThreads="10"
connectionTimeout="20000"
enableLookups="false"
maxHttpHeaderSize="8192"
protocol="org.apache.coyote.http11.Http11NioProtocol"
useBodyEncodingForURI="true"
redirectPort="8443"
acceptCount="10"
disableUploadTimeout="true"
proxyName="confluence.mydomain.org"
proxyPort="443"
secure="true"
scheme="https"/>

</Service>
</Server>

 

apache config:

<VirtualHost *:80>
ServerName confluence.mydomain.org
ServerAlias confluence.mydomain.org

RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]


# Redirect / https://confluence.mydomain.org/

</VirtualHost>

<VirtualHost *:443>
ServerName confluence.mydomain.org
ServerAlias confluence.mydomain.org

# Logging
ErrorLog /var/log/httpd/confluence.error.log
LogLevel info
CustomLog /var/log/httpd/confluence.access.log combined

SSLEngine on
SSLCertificateFile /etc/ssl/mydomain.org.crt
SSLCertificateKeyFile /etc/ssl/mydomain.org.key
SSLCertificateChainFile /etc/ssl/mydomain.org.ca
#SSLCertificateChainFile /etc/ssl/mydomain.bundle
# Proxy Settings
ProxyRequests Off
ProxyPreserveHost On

<Proxy *>
# Require all granted
</Proxy>

ProxyPass / http://localhost:8090/
ProxyPassReverse / http://localhost:8090/

</VirtualHost>

Like
Dovid Bender
Dovid Bender
Contributor
April 25, 2019

I followed https://confluence.atlassian.com/crowd/session-configuration-17956967.html#Sessionconfiguration-screen and un-setting "Require consistent client IP address" made it work. My question is why and is there any risk in having it unset.


TIA

Like Allanian likes this
Dovid Bender
Dovid Bender
Contributor
May 19, 2019

BUMP

Like Allanian likes this
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.