Shibboleth Authenticator for Confluence
Updated and Official Version
There is an official version of this "shibbolizing confluence" available at
http://confluence.atlassian.com/display/CONFEXT/Shibboleth+Authenticator+for+Confluence
The difference is merely on the name of files and few upgrade on features. All other procedures are similar.
You can follow the instruction on the above link, or follow the instruction below. We will be merging all documentation and supports to the above website.
Requirements
Compilation (optional)
- run "ant clean", then "ant compile", then "ant package"
Deployment
- copy the dist/*.jar to your confluence/WEB-INF/lib
(if you use confluence unexploded war deployment mode,
you need to put the jar into source confluence download
folder)
- modify conf/confluenceShibAuthenticator.properties according
to your needs
- copy confluenceShibAuthenticator.properties to confluence/
WEB-INF/classes
- modify seraph-config.xml in your confluence/WEB-INF/classes
<param-name>login.url</param-name>
<!--<param-value>/login.action?os_destination=${originalurl}</param-value> -->
<param-value>https://www.mams.org.au/Shibboleth.sso/WAYF/level-2.federation.org.au?target=${originalurl}</param-value>
<param-name>logout.url</param-name>
<!--<param-value>/login.action?os_destination=${originalurl}</param-value> -->
<param-value>https://www.mams.org.au/Shibboleth.sso/Logout?return=http://www.mams.org.au</param-value>
<param-name>link.login.url</param-name>
<param-value>https://www.mams.org.au/Shibboleth.sso/WAYF/level-2.federation.org.au?target=${originalurl}</param-value>
<!--<param-value>/login.action</param-value>-->
<!--<authenticator class="com.atlassian.confluence.user.ConfluenceAuthenticator"/>-->
<authenticator class="au.edu.mq.melcoe.mams.confluence.ConfluenceShibAuthenticator"/>
5. you may want to edit TOMCAT/webapps/*confluence/template/includes/macros.vm* (or edit from the source if you're doing unexploded war deployment) such that the logout link is properly displayed by confluence. Search on "logout.name". Pay attention to the way confluence doing commenting (pound followed by star, terminated by star followed by pound)
#*<a href="$req.contextPath/logout.action" id="logout">$action.getText('logout.name')</a>
*#
<a href="https://www.mams.org.au/Shibboleth.sso/Logout?return=$req.contextPath/logout.action" id="logout">$action.getText('logout.name')</a>
6. configure your SP AAP.xml by mapping appropriate headers (pay attention to step #2).
Most likely headers you need:
- REMOTE_USER
- FULL_NAME
- EMAIL
- whatever dynamic roles' headers
7. modification on apache's configuration if you're using mod_jk. For guide using mod_proxy,
see here
- mount confluence to apache
JKMount /confluence* confluenceWorker
b. protect confluence with shib lazy session
<Location /confluence>
AuthType shibboleth
ShibRequireSession Off
require shibboleth
</Location>
8. modify workers.properties for JK connector (make sure confluenceWorker is in worker list)
worker.list=xWorker confluenceWorker jiraWorker
worker.confluenceWorker.type=ajp13
worker.confluenceWorker.host=localhost
worker.confluenceWorker.port=8010
9. modify tomcat's server.xml entry to include (find where port 8009 and copy it into below). if you're using tomcat5.5 or above, you may want to put tomcatAuthentication="false" entry and strip the "request." section. This has changed in recent tomcat, refer to your tomcat manual for detail.
<Connector port="8010" address="127.0.0.1" request.tomcatAuthentication="false"
enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
10. restart tomcat and try to click on the login link
Questions? Send us email at
support AT federation DOT org DOT au
to top