Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-59126

Disabling SAML override in Confluence Data Center doesn't work

XMLWordPrintable

      Issue Summary

      Disabling SAML override in Confluence DC, to ensure no users can log in to Confluence via SAML/SSO only, still allows users to use default login URL and access the instance with local credentials.

      Steps to Reproduce

      1. Configure Confluence DC with SAML/SSO (steps not covered here)
      2. Disable SAML override by setting 
        {
  "allow-saml-redirect-override": false
}

        to
        false via REST Call to https://localhost:PORT/contextPath/rest/authconfig/1.0/saml URL

      Expected Results

      Once allow-saml-redirect-override is set to false, it's expected the default login page redirects the request do the Idp and allow no further local users to log in to Confluence.

      Actual Results

      Users still able to access Confluence using local credentials via https://localhost:PORT/contextPath/dologin.action
      or
      https://localhost:PORT/contextPath/dologin.action?auth_fallback

      Workaround

      1. The default login URL can be blocked at the Tomcat level, using the instructions in this KB:
        How to block access to a specific URL at Tomcat
      2. The URL can also be blocked or redirected at the proxy.

      Note: To enable the auth_fallback URL during maintenance windows, the URL blocking workarounds will need to be reverted.

            [CONFSERVER-59126] Disabling SAML override in Confluence Data Center doesn't work

            Richard Atkins added a comment -

            Fixed in SSO for Data Center plugin version 4.1.0, which is compatible with Confluence 7.2.1 and above. This version was bundled in Confluence 7.7.0 and above.

            Richard Atkins added a comment - Fixed in SSO for Data Center plugin version 4.1.0, which is compatible with Confluence 7.2.1 and above. This version was bundled in Confluence 7.7.0 and above.

            Supakorn Wongsawang added a comment -

            Hi team,

             

            Any update on this? we have some user that faces this problem and we already block dologin.action from our load balance so now its block out user to using confluence. It's very critical to us. Please help prioritize this problem.

             

            Best Regards,

            Supakorn Wongsawang

            Supakorn Wongsawang added a comment - Hi team,   Any update on this? we have some user that faces this problem and we already block dologin.action from our load balance so now its block out user to using confluence. It's very critical to us. Please help prioritize this problem.   Best Regards, Supakorn Wongsawang

            Aaron Matthys added a comment - - edited

            Any updates on this being released?

            Aaron Matthys added a comment - - edited Any updates on this being released?

            Aaron Matthys added a comment - - edited

            This was brought up by our security team today and needs to be fixed ASAP. Please give us a workaround until this is fixed. I do not agree this is a Sev 3 Minor issue. A security hole like this should be at least a Sev 2. 

            Aaron Matthys added a comment - - edited This was brought up by our security team today and needs to be fixed ASAP. Please give us a workaround until this is fixed. I do not agree this is a Sev 3 Minor issue. A security hole like this should be at least a Sev 2. 

            Avin Singhal added a comment - - edited

            Hi Team,

            When we can expect the resolution for the bug reported , any mitigation you can suggest or steps we can disable this url  url/dologin.action 

            We have another Client facing Instance on version 6.15.9, it seems that to is affected by the same bug

            This is very critical for us .

            Regards

            Avin

             

            Avin Singhal added a comment - - edited Hi Team, When we can expect the resolution for the bug reported , any mitigation you can suggest or steps we can disable this url  url/dologin.action  We have another Client facing Instance on version 6.15.9, it seems that to is affected by the same bug This is very critical for us . Regards Avin  

            sachin sharma added a comment - - edited

            Hi Atlassian team,

             

            This bug is affecting us as it is a sev-1 for us. Our organizations information security policy do not allow, basic authentication by entering username password on login screen to access our confluence site. Since, we have multi factor authentication in place via SAML login, a single possibility of bypassing SAML is a security vulnerability for us. Please provide workaround to atleast block this url via reverse proxy settings.

             

            Thanks,

            sachin

            sachin sharma added a comment - - edited Hi Atlassian team,   This bug is affecting us as it is a sev-1 for us. Our organizations information security policy do not allow, basic authentication by entering username password on login screen to access our confluence site. Since, we have multi factor authentication in place via SAML login, a single possibility of bypassing SAML is a security vulnerability for us. Please provide workaround to atleast block this url via reverse proxy settings.   Thanks, sachin

              Unassigned Unassigned
              omedeiros@atlassian.com Osimar Medeiros
              Affected customers:
              6 This affects my team
              Watchers:
              20 Start watching this issue

                Created:
                Updated:
                Resolved: