Just a heads up: On March 24, 2025, starting at 4:30pm CDT / 19:30 UTC, the site will be undergoing scheduled maintenance for a few hours. During this time, the site might be unavailable for a short while. Thanks for your patience.
×I have just set up a new test server with Confluence 6.0.7 and imported data from my existing server. This all went smoothly.
I have a Crowd directory that I use for authentication, and that also works fine... until I update the seraph configuration to enable SSO.
To be clear, I am NOT trying to log into a local account with SSO enabled; I know that doesn't work.
In the Confluence logs, I see this:
2017-04-25 19:14:25,654 WARN [http-nio-8090-exec-10] [atlassian.seraph.auth.DefaultAuthenticator] login login : 'ed.jackson' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
However, I have debug information turned on in the Crowd logs, where I can see that it is successfully authenticating the user for the application.
Both my Confluence and Crowd servers sit in a private subnet, each behind its own proxy/load balancer. However, Confluence is configured to connect directly to Crowd on the private subnet.
I suspect the problem is one of the URLs in my crowd.properties file. What I have configured now is this:
application.name=confluence application.password=xxxxxxxx session.validationinterval=0 crowd.base.url=http\://crowd.internal:8095/ crowd.server.url=http\://crowd.internal:8095/services/ application.login.url=https\://wiki.mycompany.com/
To reiterate, the directory sync works fine using the same Crowd URL. Likewise, the Crowd login works fine if I don't have SSO enabled.
I noticed from the log snippet that Confluence is using the default authenticator: [atlassian.seraph.auth.DefaultAuthenticator]
In <Confluence_Install>/confluence/WEB-INF/classes, please make sure the default authenticator is commented out and the SSO one is active:
<authenticator class="com.atlassian.confluence.user.ConfluenceCrowdSSOAuthenticator"/>
Thanks for that, Ann. That is in fact the active line in seraph-config.xml; I have commented out the default that uses com.atlassian.confluence.user.ConfluenceAuthenticator.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
According to that post, there might actually be something wrong with the URLs in crowd.properties.
Did you willingly change Crowd's URL? (By default this should be http://crowd.internal:8095/crowd)
You might also need to add a backslash before ":8095". Here is what you should have:
crowd.base.url=http\://crowd.internal\:8095/crowd/ crowd.server.url=http\://crowd.internal\:8095/crowd/services/
Since your environment works without SSO, you should log into Confluence's Administation UI, then select Users & Security > User Directories > Crowd Server > Edit > Server Settings and copy/paste the Server URL to your crowd.properties file (and obviously restart Confluence).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Yes, I changed the Crowd URL so it's at the root instead of at /crowd. The URL in the directory settings does exactly match the one in crowd.properties. I know it's working, because I can see in the Crowd logs that it is receiving the request from Confluence and authenticating the user.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Try adding the following to the file and restart
application.name confluence
application.password xxxxxxxx
application.login.url https://wiki.mycompany.com/
crowd.base.url http://crowd.internal:8095/
crowd.server.url http://crowd.internal:8095/services/
session.isauthenticated session.isauthenticated session.tokenkey session.tokenkey session.validationinterval 2 session.lastvalidation session.lastvalidation
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks, I do have all of those configured, I just omitted them for brevity.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Try like that without the forward slashes. Also I think the SSO domain has to be set in order for it to work.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Atlassian Government Cloud has achieved FedRAMP Authorization at the Moderate level! Join our webinar to learn how you can accelerate mission success and move work forward faster in cloud, all while ensuring your critical data is secure.
Register Now
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.