Summary

Internal directory user's password needs to match the one in Crowd in the following conditions.

• SSO is enabled
• Confluence Internal Directory is in a higher position than Crowd Directory in User Directories setting

Steps to Reproduce

1. Integrating Crowd with Atlassian Confluence
2. Create a user who has same username in in each directory as follows
   • Confluence Internal Directory:
     • username: testuser
     • password: password1
   • Crowd Directory:
     • username: testuser
     • password: password2
3. Move Confluence Internal Directory in a higher position than Crowd Directory in Confluence administrations > User Directories
4. Enable SSO with following instruction in the above page
5. Try to login Confluence with the latter one (in Crowd Directory) credential
   • Please login Confluence from Confluence's login page and do not login from Crowd or the other SSO enabled applications

Expected Results

As the document said,

It is possible to define multiple user directories in Confluence. However, if you enable Crowd SSO integration, you will only be able to authenticate as users from the Crowd server defined in the crowd.properties file.

the credential in Crowd Directory should be used for the authentication and the login should succeed.

Actual Results

The login failed. Even if we try to login with the credential in Confluence Internal Directory, it failed as well. It means both of the passwords need to match each other.

Notes

The user seemed to be authenticated twice by both Jira Internal Directory and Crowd Directory in this situation.

There was also a suggestion which asked for disabling other directories than Crowd if SSO was enabled but it was already closed as "Won't Fix".

Workaround

We can still login Confluence from other SSO enabled applications' login page.