Step 3: User Profile Mapping
Navigate to the User Profile section at the top to configure user profile attributes for Confluence. If your user directory is read-only, disable the User Profile Mapping option in this tab and then proceed directly to the “Matching a User” step.
Click on Test Configuration.
User Attribute
Matching
When a user logs into Confluence, data or attributes from the OAuth/OpenID provider are used to search for that user in Confluence and facilitate login. To match the attributes:
- Navigate to the User Profile tab.
- Choose either Username or Email as the login for the Confluence user account.
- Enter the attribute name from the OAuth/OpenID Provider that corresponds to the Username or Email as identified in the Identifying Correct Attributes step.
Extended Attribute Mapping
You can configure additional user attributes received in the OAuth/OpenID response using the Configure User Properties (Extended Attributes) section.
- In the left dropdown, select the Confluence attribute you want to map as User Property Key (for example: Phone, Location).
- In the right field, input the corresponding value retrieved from the Attributes from Provider in the Test Configuration window.
- For example, to map user location: select Location on the left dropdown and enter the provider attribute name that returns the user’s location on the right.
- Click Add Attribute Mapping again to create additional mappings.
Step 4: User Group Mapping
As we proceed to configure user group attributes for Confluence, you have the option to enable group mapping.
If you wish to do so, please ensure to select Enable Group Mapping in the User Groups tab. Alternatively, you can proceed directly to setting the default group.
4.1 Setting the Default Group
- In the User Groups tab, select the default group for users. If no group is mapped, users are automatically added to this group.
- Using the Assign Default Group To option, you can assign default groups to all users or new users. Choose None if you prefer not to assign any default group to SSO users.
4.2 Finding Group Attribute
- To identify group Attribute, click on Test Configuration. Review the values returned by your OAuth/OpenID provider to Confluence in the table. If group values are missing, adjust the settings in your OAuth provider to include group names.
- Check Enable Group Mapping option if you disable this then group mapping wont be updated for existing users.
4.3 Group Mapping
Group mapping can be done manually or on the fly:
- Manual group mapping: If the names of groups in Confluence are different than the corresponding groups in OAuth/OpenID Provider, then you should use Manual group mapping.
- On-The-Fly group mapping: If the names of groups in Confluence and OAuth/OpenID Provider are same, you should use On-The-Fly group mapping.
I. Manual group mapping
- Check the Allow User Creation based on Group Mapping option if you want new users to be created only if at least one of the user's OAuth/OpenID Provider groups is mapped to a group in the application.
- Select a Confluence group from the dropdown list and enter the name of the OAuth/OpenID Provider group to be mapped in the Groups from Applications textbox.
- For instance, if you want all users in the 'dev' group of OAuth/OpenID providers to be added to Confluence-software-users, you will need to select Confluence-software-users from the dropdown and enter 'dev' against Confluence-software-users.
- If you want to add extra mapping fields, click on Add Groups button.
II. On-The-Fly group mapping
- If the group names in both Confluence and the OAuth/OpenID provider match, opt for On-The-Fly group mapping.
- Check the Create New Groups option to create new groups from the OAuth/OpenID Provider if not found in Confluence.
- Preserve existing user groups by selecting the Keep Existing User Groups option. Unticking this option will remove the user from a Confluence group if it's not present in the OAuth/OpenID response. However you can exclude some groups from removal in the exclude groups field
Step 5: Advanced SSO Configurations
- Enable PKCE to enhance security by adding an extra layer of protection to the OAuth flow, preventing authorization code interception attacks.
- Allow User Creation:- Enabling this will allow you to create new users through SSO.
- Directory for New User:- After a successful SSO, if the user is not found in Confluence , a new user account will be created in the selected user directory.
- Remote Directory Sync:- The user details will be synced from the remote directory on successful SSO only if the user exists in the remote directory.
- ACR Value: Requests additional information from the OpenID provider to determine the Level of Assurance for user authentication.
- State Parameter: Protects against CSRF attacks by sending a unique, non-guessable value with the authorization request, mandatory for certain providers.
- Add Custom Parameters: Allows the inclusion of extra parameters in the authentication request.
Step 6: SSO Setting
The configurations within the SSO Settings tab are pivotal in shaping the user experience for Single Sign-On.
6.1 Sign In
Settings
- Enable Auto Redirect to Application to redirect users to the OAuth/OIDC provider when accessing the Confluence login page. You can set a delay before redirection.
- Next, toggle the Enable Backdoor Login option for emergency access using a backdoor URL. Restrict access to this URL for specific groups if needed.
- You can use Domain Restriction to allow login for specific user domains and configure multiple allowed domains (semicolon-separated).
- The Secure Admin Login option ensures the re-authentication of admin users before accessing pages with administrative permissions.
6.2 Redirection Rules
- Redirection rules allow you to redirect users to login pages/providers based on their email domains, groups, or directories. This functionality is especially useful with multiple configured providers.
- To create a new rule, go to the Redirection Rules tab and click Add Your First Rule.
- Next, give the rule a name and set the conditions for redirection. Click Save once you’re done.
- You can also set a default rule if no other rule conditions are met.
- Once you set a redirection rule, users who fulfill its conditions will be shown a login form, prompting them to input their username/email address. You can set domain-based rules for directing users to specific providers as well.
6.3 Session Management
- Enable User Session Management option to set Remember Me-Cookie to keep users logged in until they are explicitly logged out.
6.4 Look and Feel
These settings will allow you to change the look and feel of the login page and error message. To access these settings click on the Look and Feel tab from the left sidebar.
- You can customize the default login button text as well as you can completely design the login page using a customizable template.
- You can also have a custom login page and template for customer portal.
- The SSO Error Message section allows you to modify how error messages will be displayed to your users.
6.5 Post Logout Configurations
- If you want to redirect users to an URL after they log out then you can use Custom Logout URL under Post Logout Configuration tab.
- Similar to the customizable login template, you can also design the Logout page to improve the user experience.
6.6 Global SSO Settings
- SSO can be enabled/disabled from the Global SSO Settings tab in the left sidebar. You can enable SSO for Confluence software and service desk using options Enable SSO for Confluence Software and Enable SSO for Confluence Service Desk.
- If you want to enforce SSO to the Service Desk Agents only then you can select the Enable SSO Only For ServiceDesk Agents option.
- You can change additional settings as Allow Users to Change Password, Restrict access to plugin APIs and Auto Activate Users on SSO.
- You can enable Set Remember Me-Cookie in the Session Management tab to keep users logged in until they are explicitly logged out.
