問題

When SAML SSO has been configured for Primary Authentication, unauthenticated users accessing Confluence via the browser should be redirected to the configured Identity Provider (IdP) to log in, instead of being presented with the standard Confluence username/password login form. However, there are certain conditions which can prevent this auto-redirect to the IdP from occurring, resulting in the user encountering the login prompt even with Primary Authentication mode enabled.

原因

When Primary Authentication is enabled, the SAML SSO Authentication plugin will perform a series of precondition checks to determine whether to send the request to the Identity Provider or to present the user with the standard Confluence username/password login form. The checks are formed in this order:

1. Check if allowSamlRedirectOverride is enabled and if auth_fallback is present in the request parameters. Present the login form if true.
2. Check if the SAML SSO is configured at all. Present the login form if false.
3. Check if instance is running on a Data Center license. Present the login form if false.
4. Check if that the Assertion Consumer Service URL is configured with https. Present the login form if false.
5. Check if Confluence is in password recovery mode (i.e. the JVM parameter atlassian.recovery.password has been set). Present the login form if true.

ソリューション

Review the checks in the Cause section above, and ensure that your request does not meet any of the conditions where the standard login form will be presented.