SSO: Azure AD & Confluence

In this Single Sign On “how to” guide we will look into the steps to integrate Confluence and Azure AD.

Specifically, this blog covers the custom installation of Confluence server. The Atlassian SaaS SSO configuration, which does also include Confluence, is covered in a Microsoft blog.

Pre-requisites

This guide is compatible with Confluence server version 5.5 or higher. Next you need to make the following preparations:

Confluence

Azure AD

  • Credentials of an Azure AD Global Admin account.
  • Create an Azure AD group to control access.
  • Create an Azure AD test user.

Azure AD

The first step is to setup an application context in Azure AD.

Setup the Azure AD configuration using the steps described in this post. Use the following URL as the Identifier and Reply URL.

https://“yourcustomaddress”/confluence/plugins/servlet/samlsso

Where “yourcustomaddress” is your custom URL for the Confluence webserver.

Now open the tab Enterprise Applications -> All applications and select the just created Navision application from the list. Click on properties and make sure the User assignment required is turned on.

confluence 4

Now click on Users and Groups and add a user or a group:

confluence 3

Confluence

Before you start with SSO configuration it is important to check the current user’s Username attribute in Confluence. By using the configuration as set below, it should match the user’s UPN in Azure AD. I’d recommend to change the Username if it doesn’t match.

You can now open the SAML configuration panel via the menu when the Confluence plugin is installed:

confluence 6

In the SAML Identity Provider settings you fill in the following information:

IdP POST Binding URL: This is the SAML Single Sign-On Service URL of Azure AD.
IdP Entity ID: This is the SAML Entity ID of Azure AD.
IdP Token Signing Certificate: This is the Signing certificate.

confluence 2

This information is available in the Azure AD application configuration panel or in the Azure AD SAML FederationMetadata file.

By default the NameID value is used to identify the user in the application. By using the Azure AD default configuration settings this is the UserPrincipalName of the user.

Also, you are provided the option to transform the incoming UserID if required. In this case we’ll keep the default settings.

Next you can enable the Azure AD SSO by using a selection page or by forcing it. In my opinion it is important to test the SSO connection first before you enforce the SSO for all users, so we start by configuring the selection page.

You can configure the selection page by entering the name and description of the IdP and enable the “Enable IdP selection page” checkbox.

confluence 5

To force users to login using the Azure AD account you need to enable the following option:

confluence 1

And that’s about it! You can now successfully login into Confluence using your Azure AD account.