When user is required to confirm the password, Confluence always checks the entered password against the internally stored user/password. If an instance is configured to use custom authentication which is different from atlassian-user, the password validation will fail.

Resolution

This is fixed in Confluence 3.4 and later versions. We check if the Confluence instance is configured to use a non-default seraph authenticator and automatically disable the functionality that relies on password confirmation:

• web sudo
• captcha
• password confirmation on email change

To overwrite this behavior use password.confirmation.disabled flag. If you set this flag to false than even if you have a custom authenticator, password confirmation will still work as configured and will try to validate the password against the user managment configured through atlassian-user.xml.

Note that web sudo and other password confirmation screens should probably be disabled if you use an SSO authenticator. Confluence is typically not able to verify a user's password, so we recommend using some other mechanisms for your administrative security.