Confluence and Shibboleth

Abeer Ishtiaq aishtiaq at netuitive.com
Wed Aug 22 10:12:04 EDT 2012 

I have a couple of follow up questions. This is what I have done so far.


-          I have installed Shibboleth IDP per instructions on: https://wiki.shibboleth.net/confluence/display/SHIB2/IdPInstall
I was able to successfully do this and get the OK on the status page. Question: in the before you begin section, it states: an SSL certificate that you'll use to secure your IdP's browser-facing HTTP connection
Is this required? Also do I need apache in front of the tomcat I configured for the IDP?


-          I have configured the Confluence Shibboleth Authenticator per instructions on: https://studio.plugins.atlassian.com/wiki/display/SHBL/How+to+Shibbolize+Confluence
Question: Is this all I need to do to make Confluence an SP? I ask because when I got back to Configuring the Shibbleth IDP, the first step is to communicate with an SP and in that the first step is to load it's metadata (https://wiki.shibboleth.net/confluence/display/SHIB2/IdPMetadataProvider). I can't figure out what I would need to do in this step for Confluence.

Thanks,
Abeer

From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Nate Klingenstein
Sent: Tuesday, August 21, 2012 7:34 PM
To: Shib Users
Subject: Re: Confluence and Shibboleth

Abeer,

I am new to the whole Shibboleth stuff. I have spent the last couple of days reading any and everything I can find on it and I am still unclear on some things. Here is what I am trying to do. I have confluence and another web application for which I want to implement SSO. The username information resides in Confluence.

If your user data store is Confluence, then you'll need to operate a SAML IdP that can use the Confluence database as its underlying identity source.  The Shibboleth IdP can probably do this.  I would also double-check that Confluence doesn't intend to change the structure of that user data store.


The idea was if the user is logged into confluence and clicked on this other website's link from within Confluence they wouldn't have to log in again. Shibboleth was suggested and sounded like the right solution, however, now I am not so sure. I read up on the Confluence Shibboleth Authenticator but that ends up making Confluence the SP.

You would want to set up an SP in front of Confluence and in front of the other website.  This, along with an IdP using the Confluence user data, will give your users SSO across both sites.


 But if I configure it that way then what's my idp authenticating the users against since they are in confluence's mysql database?

The database.


Am I going all wrong about this? If not can someone provide some high level pointers?

I think your understanding is pretty good and Shibboleth is a fine solution for your problem.  You just need to remember that Confluence will be acting both as an identity store for an IdP and as an SP receiving that identity data, and there will be a second SP in front of the other website.

Please let us know if, in the event you select Shibboleth software, you have more questions.

Thanks,
Nate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120822/5c04d6df/attachment-0001.html

More information about the users mailing list