How to integrate Confluence DC with Azure for SAML 2.0 SSO

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: Data Center のみ - この記事は、Data Center プラットフォームのアトラシアン製品にのみ適用されます。

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Fisheye および Crucible は除く

目的

Confluence Data Center is bundled with the SSO for Atlassian Server and Data Center App – we will refer to it simply as Atlassian SSO App in the remainder of this document.

With this App, Confluence administrators can configure SSO using SAML 2.0 or OIDC with your preferred Identity Provider (IdP). Check SAML single sign-on for Atlassian Data Center applications for further details on supported IdPs and more information on the SSO App.

This document highlights the steps to integrate Confluence Data Center with Microsoft Azure for SSO using SAML 2.0.

This document is not intended to be a full reference guide, since you may need to change Azure or Confluence configuration to your organization's needs. Hence, this describes a sample configuration to have it working.

Atlassian Support can't provide assistance with configuring third-party tools like Okta. If you have questions, check the Azure documentation, Microsoft Azure Support, ask the Atlassian Community, or get help from a Solution Partner.

要約

This is a guide to easily integrate Confluence (Service provider) with Azure (Identity provider IdP).  Each requires their own specific configurations and we'll outline these below.  If there are specific settings that need to in place and which are out of scope of this page, please check those with your IdP admins.

In order to use SSO for Atlassian Server and Data Center to authenticate against Microsoft's Azure AD, we need to create an Enterprise Application in the Azure management console. In this article, we'll use the pre-set Confluence SAML SSO by Microsoft from the Azure library.

You may want to enable Confluence's default login page, as a security measure, so you won't lose access to Confluence, in the event of any issue during the following steps.

For reference: Enable default login page to bypass SAML in Confluence Data Center

環境

  • Confluence 6.1+
  • Azure Active Directory

Integration Steps

  1. Access your Azure Active Directory and select Enterprise applications



  2. Select New application and find "Confluence SAML SSO by Microsoft" from the gallery



  3. Create a name to your application and click Add. You should see your new application like this:

  4. Now we'll get some information from Confluence. Login your Confluence Data Center using an Admin account and head to General Configuration > SSO 2.0.

  5. Scroll down until you see the following lines. Copy and save them to use in the Azure portal:
  6. Back in Azure, open your Enterprise Application, select 2. Set up single sign on, then choose SAML.

  7. Click to edit the Basic SAML Configuration fields and use the information copied from Confluence.

    Azure

    Confluence

    Identifier (Entity ID)

    オーディエンス URL (エンティティ ID)

    Reply URL (Assertion Consumer Service URL)

    アサーション コンシューマー サービス URL

    サインオン URLオーディエンス URL (エンティティ ID)





  8. Still in the Azure SAML settings, download the Certificate (Base64 encoding) and copy the Login URL and Azure AD Identifier



  9. Go back to the Confluence SSO 2.0 screen and use the information copied from Azure. Click Save configuration when finished.

    AzureConfluence
    Login URLアイデンティティ プロバイダー シングルサインオン URL
    Azure AD Identifierシングルサインオン発行者
    Certificate (Base64)X.509 証明書




  10. Confluence 7.7+ only: In Confluence 7.7, JIT User Provisioning was introduced. As part of this change, you now have to define a username mapping. It requires an expression following the pattern ${attributeName}, and that claim/attribute will be used to match the username during the SSO login.




  11. Confluence 7.7+ only: Also introduced by the JIT Provisioning, you can chose to create a user in Confluence when the username mapping doesn't match an existing user. You'll have to check the option Create users on login to the application, and then define claim/attribute mappings from Azure AD that will contain the user's Display Name, Email and Groups (the Groups attribute doesn't support mapping expressions).



  12. To test the authentication, you can use a link like this (it will redirect you to the Azure login screen and then back to Confluence if the authentication is successful):

    https://<base-url>/plugins/servlet/external-login

    This link only works when running SSO for Atlassian Data Center app version 4.0.X or 4.1.X. This link is not available in version 4.2.X or later. 

最終更新日: 2023 年 10 月 9 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.