Disabling SAML override in Confluence Data Center doesn't work

XMLWordPrintable

    • 6
    • Severity 2 - Major
    • 2

      Issue Summary

      Disabling SAML override in Confluence DC, to ensure no users can log in to Confluence via SAML/SSO only, still allows users to use default login URL and access the instance with local credentials.

      Steps to Reproduce

      1. Configure Confluence DC with SAML/SSO (steps not covered here)
      2. Disable SAML override by setting 
        {
  "allow-saml-redirect-override": false
}

        to
        false via REST Call to https://localhost:PORT/contextPath/rest/authconfig/1.0/saml URL

      Expected Results

      Once allow-saml-redirect-override is set to false, it's expected the default login page redirects the request do the Idp and allow no further local users to log in to Confluence.

      Actual Results

      Users still able to access Confluence using local credentials via https://localhost:PORT/contextPath/dologin.action
      or
      https://localhost:PORT/contextPath/dologin.action?auth_fallback

      Workaround

      1. The default login URL can be blocked at the Tomcat level, using the instructions in this KB:
        How to block access to a specific URL at Tomcat
      2. The URL can also be blocked or redirected at the proxy.

      Note: To enable the auth_fallback URL during maintenance windows, the URL blocking workarounds will need to be reverted.

              Assignee:
              Unassigned
              Reporter:
              Osimar M. (Osi) | Atlassian Support (Inactive)
              Votes:
              6 Vote for this issue
              Watchers:
              20 Start watching this issue

                Created:
                Updated:
                Resolved: