Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Why can't I log into Confluence with SSO enabled?

Ed Jackson
Ed Jackson
Contributor
April 25, 2017

I have just set up a new test server with Confluence 6.0.7 and imported data from my existing server. This all went smoothly.

I have a Crowd directory that I use for authentication, and that also works fine... until I update the seraph configuration to enable SSO.

To be clear, I am NOT trying to log into a local account with SSO enabled; I know that doesn't work.

In the Confluence logs, I see this:

2017-04-25 19:14:25,654 WARN [http-nio-8090-exec-10] [atlassian.seraph.auth.DefaultAuthenticator] login login : 'ed.jackson' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.

However, I have debug information turned on in the Crowd logs, where I can see that it is successfully authenticating the user for the application.

Both my Confluence and Crowd servers sit in a private subnet, each behind its own proxy/load balancer. However, Confluence is configured to connect directly to Crowd on the private subnet.

I suspect the problem is one of the URLs in my crowd.properties file. What I have configured now is this:

application.name=confluence
application.password=xxxxxxxx
session.validationinterval=0
crowd.base.url=http\://crowd.internal:8095/
crowd.server.url=http\://crowd.internal:8095/services/
application.login.url=https\://wiki.mycompany.com/

To reiterate, the directory sync works fine using the same Crowd URL. Likewise, the Crowd login works fine if I don't have SSO enabled.

 

Answer
Watch
Like Be the first to like this
1947 views

3 answers

0 votes
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 27, 2017

I noticed from the log snippet that Confluence is using the default authenticator: [atlassian.seraph.auth.DefaultAuthenticator]

In <Confluence_Install>/confluence/WEB-INF/classes, please make sure the default authenticator is commented out and the SSO one is active: 

<authenticator class="com.atlassian.confluence.user.ConfluenceCrowdSSOAuthenticator"/>
View More Comments
Ed Jackson
Ed Jackson
Contributor
April 28, 2017

Thanks for that, Ann. That is in fact the active line in seraph-config.xml; I have commented out the default that uses com.atlassian.confluence.user.ConfluenceAuthenticator.

 

Like
Reply
0 votes
Bruno Vincent
Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 26, 2017

According to that post, there might actually be something wrong with the URLs in crowd.properties.

Did you willingly change Crowd's URL? (By default this should be http://crowd.internal:8095/crowd)

You might also need to add a backslash before ":8095". Here is what you should have:

crowd.base.url=http\://crowd.internal\:8095/crowd/
crowd.server.url=http\://crowd.internal\:8095/crowd/services/

Since your environment works without SSO, you should log into Confluence's Administation UI, then select Users & Security > User Directories > Crowd Server > Edit > Server Settings and copy/paste the Server URL to your crowd.properties file (and obviously restart Confluence).

View More Comments
Ed Jackson
Ed Jackson
Contributor
April 26, 2017

Yes, I changed the Crowd URL so it's at the root instead of at /crowd. The URL in the directory settings does exactly match the one in crowd.properties. I know it's working, because I can see in the Crowd logs that it is receiving the request from Confluence and authenticating the user.

Like
Reply
0 votes
Edwin Kyalangalilwa
Edwin Kyalangalilwa
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 25, 2017

Try adding the following to the file and restart

application.name                        confluence
application.password                    xxxxxxxx
application.login.url                   https://wiki.mycompany.com/
crowd.base.url                          http://crowd.internal:8095/
crowd.server.url                        http://crowd.internal:8095/services/
session.isauthenticated                 session.isauthenticated
session.tokenkey                        session.tokenkey
session.validationinterval              2
session.lastvalidation                  session.lastvalidation


 

View More Comments
Ed Jackson
Ed Jackson
Contributor
April 26, 2017

Thanks, I do have all of those configured, I just omitted them for brevity.

Like
Edwin Kyalangalilwa
Edwin Kyalangalilwa
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 26, 2017

Try like that without the forward slashes. Also I think the SSO domain has to be set in order for it to work.

https://confluence.atlassian.com/crowd/domain-17956963.html

Like Mark M likes this
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events