...
The wiki will be open to the public, with only SAML logins (i.e. no local accounts). New users will have their account automatically created, and are put in the confluence-users group.
| Table of Contents |
|---|
Prerequisites
Before you start, make sure you have these bits:
...
- A correctly configured apache web server that is able to serve an HTTPS web site (https://example.com).
- A SAML Identity Provider (IdP).
- An account on that IdP.
- An attribute that can be used as username in Confluence (for example eduPersonPrincipalName). Attributes for full name and e-mail are optional but recommended. In this case we assume 'mail' and 'displayName' can be used.
- The user name of the to-be administrator account. So, if you choose eduPersonPrincipalName as the attribute for username, you need to know your own value (for instance 'dvisser@surfnet.nl').
PostgreSQL
| Code Block |
|---|
apt-get install postgresql |
...
Edit confluence/WEB-INF/classes/confluence-init.properties and configure confluence.home=/home/confluence.
Upstart script for Confluence
Ubuntu uses the new upstart init scripts, which we should use.
...
mod_auth_mellon
mod_auth_mellon is an Apache module. Ubuntu 14.04 and later contain the correct package. To get things working for Ubuntu 12.04 I recompiled the Debian source packages from the University of Tilburg and made them available in our own APT repository.
...
And once that is done, you should be able to use federated authentication by going to https://example.com/mellon/login?ReturnTo=%2F
Confluence - part 2
Now everything is in place to federate Confluence. Make sure that Confluence isn't running any more.
...
If for some reason your account isn't an administrator, there is no way to fix this. You should disable the changes from step 3 and restart Confluence so that it doesn't use federated authentication any more. Then go back in and fix the permissions, then change back.
Confluence - mobile theme
The new Confluence feature a dedicated theme for use on mobile devices. This is great, but unfortunately both the login and logout buttons in that theme do not work - they still point to the 'old' static login/logout links.
Login button
I couldn't find any way to do this in Confluence, so I ended up rewriting it in Apache. See the snippet in the Apache config above.
Logout button & Invitation link
...
| Code Block | ||
|---|---|---|
| ||
<action name="logout" class="com.atlassian.confluence.user.actions.LogoutAction">
<interceptor-ref name="defaultStack"/>
<result name="error" type="velocity">/logout.vm</result>
<result name="success" type="redirect">/login.action?logout=true</result>
</action> |
to this:
| Code Block | ||
|---|---|---|
| ||
<action name="logout" class="com.atlassian.confluence.user.actions.LogoutAction">
<interceptor-ref name="defaultStack"/>
<result name="error" type="velocity">/logout.vm</result>
<result name="success" type="redirect">/mellon/logout?ReturnTo=%2Fdashboard.action</result>
</action> |
While you're at it, you can also change the Invite Users link on /admin/users/browseusers.action. This will take you a non-federated invitation page, which is not what you want. If your Confluence admins don't know how they should add people (by asking new users to simply log in), then chances are that they will use this option, ending up with a 'wrong' account.
Edit plugins/user-management.xml and change this line:
| Code Block |
|---|
<link linkId="invite-tab-link">/admin/users/inviteuser.action</link> |
so that it points to a custom page that you created with the proper instructions.
The page I'm using has a clickable mailto link so that everything is precooked.
Now "jar" everything up again and replace the original jar:
| Code Block | ||
|---|---|---|
| ||
cd /tmp/jar jar cf /opt/confluence/confluence/WEB-INF/lib/confluence-5.5.3.jar . |
Restart Confluence. You should now also be able to use federated logins on your iPad/etc.
jsessionid errors
If unauthenticated users try to access content that is protected, Confluence tries to set jsessionid as part of the URL. This leads to 404 errors like this:
| Code Block |
|---|
NOT FOUND The requested URL /mellon/login;jsessionid=8A736F43779F96249F6C3DC41067BB98 was not found on this server. |
Since the jsessionid part isn't needed, it can be removed uses a rewrite statement (see apache config above).
Logging
You might want to change the default apache log file configuration to include the federated user name. While you're at it, add milliseconds to the timestamp, and change it to something that is not a nightmare to sort later on:
| Code Block |
|---|
#LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
# Sortable log format, with proper federated username. DV 2016-04-05
LogFormat "%v:%p %{%F %T}t.%{msec_frac}t %h %{MELLON_CONF_USER}e \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined |
This will yield useful stuff like:
| Code Block |
|---|
wiki.geant.org:443 2016-04-05 14:23:10.714 2001:610:148:dead:49be:5225:a8a0:4b1f federated-user-3 "GET /rest/mywork/latest/status/notification/count HTTP/1.1" 200 944 "https://wiki.geant.org/dashboard.action" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36" |
Limit access to the unprotected TCP port
Confluence by default listens to TCP port 8090 on all interface. Since Apache will be the internet facing application, there is no need for Confluence to listen on all interfaces. Even worse, if you do let it listen on the internet then it is trivial to add a REMOTE_USER header and spoof any account. Of course it is good practice to use a firewall to protect this port, but you can limit this in Confluence as well. Since Apache is configured to only connect to the (IPv6) localhost address, this is what you should configure Confluence to use as listening address. As per Tomcat docs, you should add an "address" attribute to the Connector, which is located in conf/server.xml:
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8090" address="::1" minProcessors="5"