This is probably my longest standing action item in TERENA : implement a federated version of Confluence.
Below is the recipe for getting this to work with Ubuntu 12.04, Confluence 5.1.1, Apache, and modmellon.
I choose modmellon because it seemed like a cleaner solution than mod_shib, requiring no additional daemons and much simpler configuration.
The wiki will be open to the public, and logins will only be federated. New users will have their account automatically created, and are put in the confluence-users group.
Prerequisites
Before you start, make sure you have these bits:
- A correctly configured apache web server that is able to serve an HTTPS web site (https://example.com).
- A SAML Identity Provider (IdP).
- An account on that IdP.
- An attribute that can be used as username in Confluence (for example eduPersonPrincipalName). Attributes for full name and e-mail are optional but recommended. In this case we assume 'mail' and 'displayName' can be used.
- The user name of the to-be administrator account. So, if you choose eduPersonPrincipalName as the attribute for username, you need to know your own value (for instance 'dvisser@surfnet.nl').
PostgreSQL
Code Block |
---|
apt-get install postgresql |
Create a dedicated database user, and a database:
Code Block |
---|
sudo su - postgres createuser -S -d -r -P -E confuser createdb -O confuser confluence |
Confluence - part 1
This is a default install of Confluence, which has only local account and no federated logins - that comes later in part 2.
Install OpenJDK:
Code Block |
---|
apt-get --no-install-recommends install openjdk-7-jdk |
Download the source http://www.atlassian.com/software/confluence/downloads/binary/atlassian-confluence-5.5.3.tar.gz and unpack it to /opt/confluence
. All relative paths mentioned below are relative to this directory.
Create a home directory for Confluence (/home/confluence
).
Edit confluence/WEB-INF/classes/confluence-init.properties
and configure confluence.home=/home/confluence
.
Upstart script for Confluence
Ubuntu uses the new upstart init scripts, which we should use.
Create the upstart script /etc/init/confluence
:
Code Block | ||||
---|---|---|---|---|
| ||||
# Upstart script for confluence description "Atlassian Confluence" start on runlevel [2345] stop on runlevel [!2345] kill timeout 30 env RUN_AS_USER=root env BASEDIR=/opt/confluence script LOGFILE=$BASEDIR/logs/catalina.out exec su - $RUN_AS_USER -c "$BASEDIR/bin/catalina.sh run" >> $LOGFILE 2>&1 end script |
Once this script is here, issue "start confluence" to get going, and watch the log file /opt/confluence/log/catalina.out
. After some time you should see something like this:
Code Block |
---|
INFO: Starting Coyote HTTP/1.1 on http-8090 Apr 09, 2013 5:14:43 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 65971 ms |
By this time you can point your browser to http://example.com:8090, and it should come up with a configuration wizard that will ask for a license key, database credentials, a local admin account, etc. Once that is all done, things should be working, but nothing federated yet, only local accounts.
At this point you need to do some preparation so that stuff will work properly later on through Apache:
- Create a new admin account with the correct federated username. For instance, if you have decided on using eduPersonPrincipalName as the username, and the value of that attribute for your federated account is 'dvisser@surfnet.nl', create an account with that exactly that username.
- Make sure this newly created account is a member of "confluence-administrators".
- Configure the
Modmellon
Modmellon is an Apache module. To get this working I recompiled the Debian source packages from the University of Tilburg for Ubuntu 12.04 and made them available in our own APT repository.
Once that is done, the needed packages can be installed:
Code Block |
---|
apt-get install libapache2-mod-auth-mellon a2enmod auth_mellon |
Create a directory /etc/apache/mellon, and store the Identity Provider metadata in XML format to a file called idp.xml.
Create the cryptographic material for the mellon SP:
Code Block |
---|
openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout sp.key -out sp.crt |
Now add this to the configuration of the vhost (note that this is not the entire config - you should have the HTTPS stuff etc already configured):
Code Block | ||||
---|---|---|---|---|
| ||||
ServerName example.com ProxyRequests Off <Proxy http://ip6-localhost:8090> Order deny,allow Allow from all </Proxy> ProxyPass /mellon/ ! ProxyPass / http://ip6-localhost:8090/ ProxyPassReverse / http://ip6-localhost:8090/ # Mobile theme does not honour new seraph values for login URL, so we have to redirect that RewriteEngine on RewriteCond %{QUERY_STRING} ^originalUrl=(.*)$ [NC] Rewriterule ^/plugins/servlet/mobile/login /mellon/login?ReturnTo=%1 [R,NE] # Remove the jsessionid from the URL, to prevent 404 errors when # unauthenticated visitors try to access a protected resource. ReWriteRule ^(.*);jsessionid=[A-Za-z0-9]+(.*)$ $1$2 [R,NE] <Location /> MellonEnable "info" MellonSecureCookie On MellonSessionDump Off MellonSamlResponseDump Off MellonEndpointPath "/mellon" MellonSPPrivateKeyFile /etc/apache2/mellon/sp.key MellonSPCertFile /etc/apache2/mellon/sp.crt MellonIdPMetadataFile /etc/apache2/mellon/idp.xml # To avoid security holes, first unset any existing header RequestHeader unset REMOTE_USER # Then conditionally set it RequestHeader set REMOTE_USER "%{MELLON_eduPersonPrincipalName}e" env=MELLON_eduPersonPrincipalName RequestHeader unset CONF_FULL_NAME RequestHeader set CONF_FULL_NAME "%{MELLON_displayName}e" env=MELLON_displayName RequestHeader unset CONF_EMAIL RequestHeader set CONF_EMAIL "%{MELLON_mail}e" env=MELLON_mail </Location> |
By this time, you should be able to download the Service Provider metadata from https://example.com/mellon/metadata, and use it to add it to your IdP, thereby creating a trust relationship.
And once that is done, you should be able to use federated authentication by going to https://example.com/mellon/login?ReturnTo=%2F
Confluence - part 2
Now everything is in place to federate Confluence. Make sure that Confluence isn't running any more.
- Download the right version of remoteUserAuth.jar (I used 2.5.0) from https://github.com/chauth/confluence_http_authenticator/tree/master/releases, and store it in
confluence/WEB-INF/lib.
Make sure you're actually downloading the JAR file and not the HTML page. - Download https://github.com/chauth/confluence_http_authenticator/blob/master/conf/remoteUserAuthenticator.properties and save it as
confluence/WEB-INF/classes/remoteUserAuthenticator.properties
. The defaults were almost OK, the only thing I needed to change was convert.to.utf8=true. Edit
confluence/WEB-INF/classes/seraph-config.xml
and change this section in the beginning:Code Block language html/xml <init-param> <param-name>login.url</param-name> <param-value>/login.action?os_destination=${originalurl}</param-value> </init-param> <init-param> <param-name>link.login.url</param-name> <param-value>/login.action</param-value> </init-param>
To this:
Code Block language html/xml <init-param> <param-name>login.url</param-name> <param-value>/mellon/login?ReturnTo=${originalurl}</param-value> </init-param> <init-param> <param-name>link.login.url</param-name> <param-value>/mellon/login?ReturnTo=%2Fdashboard.action</param-value> </init-param>
You should now be able to use federated logins.
Confluence - mobile theme
The new Confluence feature a dedicated theme for use on mobile devices. This is great, but unfortunately both the login and logout buttons in that theme do not work - they still point to the 'old' static login/logout links.
Login button
I couldn't find any way to do this in Confluence, so I ended up rewriting it in Apache. See the snippet in the Apache config above.
Logout button
Code Block |
---|
apt-get --no-install-recommends install openjdk-7-jdk |
Then do:
mkdir /tmp/jar
cd /tmp/jar
jar xf /opt/confluence/confluence/WEB-INF/lib/confluence-5.5.3.jar
xwork.xml
and change this part:
Code Block | ||
---|---|---|
| ||
<action name="logout" class="com.atlassian.confluence.user.actions.LogoutAction"> <interceptor-ref name="defaultStack"/> <result name="error" type="velocity">/logout.vm</result> <result name="success" type="redirect">/login.action?logout=true</result> </action> |
to this:
Code Block | ||
---|---|---|
| ||
<action name="logout" class="com.atlassian.confluence.user.actions.LogoutAction"> <interceptor-ref name="defaultStack"/> <result name="error" type="velocity">/logout.vm</result> <result name="success" type="redirect">/mellon/logout?ReturnTo=%2Fdashboard.action</result> </action> |
Now "jar" everything up again and replace the original jar:
Code Block | ||
---|---|---|
| ||
cd /tmp/jar jar cf /opt/confluence/confluence/WEB-INF/lib/confluence-5.5.3.jar . |
Restart Confluence. You should now also be able to use federated logins on your iPad/etc.
jsessionid errors
If unauthenticated users try to access content that is protected, Confluence tries to set jsessionid as part of the URL. This leads to 404 errors like this:
Code Block |
---|
NOT FOUND The requested URL /mellon/login;jsessionid=8A736F43779F96249F6C3DC41067BB98 was not found on this server. |
Since the jsessionid part isn't needed, it can be removed uses a rewrite statement (see apache config above).
Limit access to the unprotected TCP port
Confluence by default listens to TCP port 8090 on all interface. Since Apache will be the internet facing application, there is no need for Confluence to listen on all interfaces. Even worse, if you do let it listen on the internet then it is trivial to add a REMOTE_USER header and spoof any account. Of course it is good practice to use a firewall to protect this port, but you can limit this in Confluence as well. Since Apache is configured to only connect to the (IPv6) localhost address, this is what you should configure Confluence to use as listening address. As per Tomcat docs, you should add an "address" attribute to the Connector, which is located in conf/server.xml
:
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8090" address="::1" minProcessors="5"