Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
1
-
2
-
Description
Summary
Large or Enterprise clients using the built-in Confluence SAML plugin (in Confluence Data Center 6.1+) may need the ability to map a different user attribute to the SAML response for NameID, if they cannot change this on the provider side.
For example, in the case where the SAML IdP has mapped NameID to the user email:
<saml:NameID Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:transient\">username@example.com</saml:NameID>
- If the Confluence username is not also 'username@example.com' the SAML response will be rejected by Confluence, as that email address doesn't exist as a username in the Confluence database.
- If there is a Confluence username for 'username@example.com' then the SAML response will allow this user to login to Confluence.
Some IdP providers, or some companies subscribed to an IdP provider, may not have the ability to change what LDAP attribute the NameID is mapped to on the IdP (SAML Provider) side. In those cases, they need the ability to tell Confluence that the NameID in the SAML response is equal to the email address of said user.
The current requirements for NameID in the SAML response are noted in Saml Single Sign On For Atlassian Data Center Applications:
Make sure the NameID attribute of the users in your IdP is set to the username in your Atlassian application
Workaround
Attachments
Issue Links
- mentioned in
-
Page Loading...