Versions Compared

Old Version 4

changes.mady.by.user Dick Visser

Saved on

compared with

New Version 5

changes.mady.by.user Dick Visser

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

I choose modmellon because it seemed like a cleaner solution than mod_shib, requiring no additional daemons and much simpler configuration.

The wiki will be open to the public, and logins will only be federated. New users will have their account automatically created, and are put in the confluence-users group.

 

Prerequisites

Before you start, make sure you have these bits:

...

  • A correctly configured apache web server that is serving able to serve an HTTPS web site (https://example.com).
  • A SAML Identity Provider (IdP).
  • An account on that IdP.
  • An attribute that can be used as username in Confluence (for example eduPersonPrincipalName). Attributes for full name and e-mail are optional but recommended.
  • The user name of the to-be administrator account. So, if you choose eduPersonPrincipalName as the attribute for username, you need to know your own value (for instance 'dvisser@surfnet.nl'.

PostgreSQL

Code Block
apt-get install postgresql

Create a dedicated database user, and a database:

Code Block
sudo su - postgres
createuser -S -d -r -P -E confuser
createdb -O confuser confluence

 

Confluence - part 1

 This is a default install of Confluence, which has only local account and no federated logins - that comes later in part 2.

Install OpenJDK:

Code Block
apt-get --no-install-recommends install openjdk-7-jdk

 

Download the source http://www.atlassian.com/software/confluence/downloads/binary/atlassian-confluence-5.1.tar.gz and unpack it to /opt/confluence. All relative paths mentioned below are relative to this directory.

Create a home directory for Confluence (/home/confluence).

Edit confluence/WEB-INF/classes/confluence-init.properties and configure confluence.home=/home/confluence.

Create the upstart script /etc/init/confluence:

 

Code Block
themeMidnight
languagebash
# Upstart script for confluence
description     "Atlassian Confluence"
start on runlevel [2345]
stop on runlevel [!2345]
kill timeout 30
env RUN_AS_USER=root
env BASEDIR=/opt/confluence
script
    LOGFILE=$BASEDIR/logs/catalina.out
    exec su - $RUN_AS_USER -c "$BASEDIR/bin/catalina.sh run" >> $LOGFILE 2>&1
end script

Once this script is here, issue "start confluence" to get going, and watch the log file /opt/confluence/log/catalina.out. After some time you should see something like this:

Code Block
INFO: Starting Coyote HTTP/1.1 on http-8090
Apr 09, 2013 5:14:43 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 65971 ms

 

By this time you can point your browser to http://example.com:8090, and it should come up with a configuration wizzard that will ask for a license key, database credentials, a local admin account, etc. Once that is all done, things should be working, but nothing federated yet, only local accounts.

At this point you need to do some preparation so that stuff will work properly later on through Apache:

  1. Create a new admin account with the correct federated username. For instance, if you have decided on using eduPersonPrincipalName as the username, and the value of that attribute for your federated account is 'dvisser@surfnet.nl', create an account with that exactly that username. Obviously, Confluence username can 
  2. Make sure this newly created account is a member of "confluence-administrators".
  3. Configure the 
Once this is complete, shut down Confluence by issuing "stop confluence".

 

Modmellon

Modmellon is an apache Apache module. To get this working I recompiled the Debian source packages from the University of Tilburg for Ubuntu 12.04 and made them available in our own APT repository.

...

Now add this to the configuration of the vhost (note that this is not the entire config - you should have the HTTPS stuff etc already configured):

 

Code Block
ServerName example.com
 
ProxyRequests Off
<Proxy http://localhost:8090>
        Order deny,allow
        Allow from all
</Proxy>


ProxyPass /mellon/ !
ProxyPass / http://localhost:8090/
ProxyPassReverse / http://localhost:8090/


# Mobile theme does not honour new seraph values, so we have to redirect that
RewriteEngine on
RewriteCond     %{QUERY_STRING} ^originalUrl=(.*)$      [NC]
Rewriterule     ^/plugins/servlet/mobile/login          /mellon/login?ReturnTo=%1 [R,NE]

<Location />
        MellonEnable "info"
        MellonSecureCookie On
        MellonSessionDump Off
        MellonSamlResponseDump Off
        MellonEndpointPath "/mellon"
        MellonSPPrivateKeyFile /etc/apache2/mellon/sp.key
        MellonSPCertFile /etc/apache2/mellon/sp.crt
        MellonIdPMetadataFile /etc/apache2/mellon/idp.xml

        # First unset to avoid security holes
        RequestHeader unset REMOTE_USER
        RequestHeader set REMOTE_USER "%{MELLON_username}e" env=MELLON_username

        RequestHeader unset FULLNAME
        RequestHeader set FULLNAME "%{MELLON_fullname}e" env=MELLON_fullname

        RequestHeader unset MAIL
        RequestHeader set MAIL "%{MELLON_email}e" env=MELLON_email
</Location>

 

By this time, you should be able to download the Service Provider metadata from https://example.com/mellon/metadata, and use it to add it to your IdP, thereby creating a trust relationship. 

PostgreSQL

Code Block
apt-get install postgresql

Create a dedicated database user, and a database:

Code Block
sudo su - postgres
createuser -S -d -r -P -E confuser
createdb -O confuser confluence

 

 

Confluence 

Install OpenJDK:

Code Block
apt-get --no-install-recommends install openjdk-7-jdk

 

Download the source http://www.atlassian.com/software/confluence/downloads/binary/atlassian-confluence-5.1.tar.gz and unpack it to /opt/confluence.

Edit /opt/confluence/conflue

Once installed, use this upstart script to have start on boot:

 

Code Block
themeMidnight
languagebash
# Upstart script for confluence
description     "Atlassian Confluence"
start on runlevel [2345]
stop on runlevel [!2345]
kill timeout 30
env RUN_AS_USER=root
env BASEDIR=/opt/confluence
script
    LOGFILE=$BASEDIR/logs/catalina.out
    exec su - $RUN_AS_USER -c "$BASEDIR/bin/catalina.sh run" >> $LOGFILE 2>&1
end script

Once this is there, you can simply issue "start confluence", "stop confluence", "restart confluence".

 

Once that is done, you should be able to use federated authentication by going to https://example.com/mellon/login?ReturnTo=/

 

 

Confluence - part 2

Now everything is in place to federate Confluence. Make sure that Confluence isn't running any more.

  1. Download the right version of remoteUserAuth.jar from https://github.com/chauth/confluence_http_authenticator/tree/master/releases, and store it in confluence/WEB-INF/lib
  2. Download https://github.com/chauth/confluence_http_authenticator/blob/master/conf/remoteUserAuthenticator.properties and save it as confluence/WEB-INF/classes/remoteUserAuthenticator.properties. Edit it to suit your needs.

  3. Edit confluence/WEB-INF/classes/serapth-config.xml and change this section in the beginning: 

    Code Block
           <init-param>
            <param-name>login.url</param-name>
            <param-value>/login.action?os_destination=${originalurl}</param-value>
        </init-param>
        <init-param>
            <param-name>link.login.url</param-name>
            <param-value>/login.action</param-value>
        </init-param>

    To this: 

    Code Block
    languagehtml/xml
            <init-param>
            <param-name>login.url</param-name>
            <param-value>/mellon/login?ReturnTo=${originalurl}</param-value>
        </init-param>
        <init-param>
            <param-name>link.login.url</param-name>
            <param-value>/mellon/login?ReturnTo=%2Fdashboard.action</param-value>
        </init-param>

...