By: Raman Chinnanpour user 21 Oct 2019 at 7:13 a.m. CDT

8 Responses
Raman Chinnanpour gravatar
Hi Dear Support Team, 1. Scenario We have an Atlassian Confluence Server and "miniOrange OAuth/OpenID Connect for Confluence SSO" Plugin has been installed on it. We would like to integrate this Confluence's plugin with the Gluu server utilizing OpenID Connect in order to use 2-Factor Authentication for users accessing the Confluence web portal. --------------------------------------------------------------------------------------------------------------------------------------------- 2. Configuration 2.1. Gluu Server: 2.1.1. Cache Refresh is configured to sync users with our OpenLDAP Server and it works successfully. 2.1.2. OTP is configured as Deafult_acr in the Manage Authentication section and works fine. 2.1.3. A Client has benn created for Confluence In OpenID Connect Client section as below: Standard Setting: Client Id : @!96B5.D1D5.3F6D.E2AD!0001!B29B.4565!0008!26B5.A473.F21E.**** Client Name: Confluence Client Secret: ******** Redirect Login URIs: https://[Conflence-Server-FQDN]/plugins/servlet/oauth/callback ( This URL is provided in the configuration section of miniOrange OAuth/OpenID Connect ) Scopes: openid Response Types: code Grant Type: authorization_code subject Types: Pairwise Authentication method for Token Endpoint: client_secret_basic Advanced Setting: Access Token as JWT: True 2.2. miniOrange OAuth/OpenID Connect for Confluence SSO: 2.2.1. miniOrange OAuth has been configured as below: Select Application: Custom App App Name: Gluu Client ID: @!96B5.D1D5.3F6D.E2AD!0001!B29B.4565!0008!26B5.A473.F21E.**** ( Client ID generated in Gluu Server OpenID Client) Client Secret: ****** ( Client Secret configured in Gluu Server OpenID Client ) scope: openid Authorize Endpoint: https://[Gluu Server IP Address]/oxauth/restv1/authorize Access Token Endpoint: https://[Gluu Server IP Address]/oxauth/restv1/token Send Parameters in Token Endpoint: Http Header Get User Info Endpoint: https://[Gluu Server IP Address]/oxauth/restv1/userinfo 2.2.2. User Profile is configured as below in miniOrange OAuth/OpenID Connect: Disable Attribute Mapping: unchecked Login/Create Confluence use account by: username Username: uid Email: mail First Name: givenName Last Name: sn 2.2.3. User Groups is configured as below in miniOrange OAuth/OpenID Connect: Keep Existing User Groups: checked Group Attribute: -------- Restrict User Creation: checked Restrict User Creation based on Group Mapping: unchecked Group Search Filter: Confluence Default Group: confluence-users 2.2.4. Sing In Settings is configured as below in miniOrange OAuth/OpenID Connect: Login Button Text: Use OAuth Login / Show SSO button before Login Button Relay State: ------ Auto Redirect to IdP: checked --------------------------------------------------------------------------------------------------------------------------------------------- 3. Test Configuration and Issue When we try to open the confluence login web page, it redirects us to the gluu server oxauth login page ( https://[gluu Server IP Address]/oxauth/login.htm ), we enter an LDAP username and password then it requests to enter OTP code generated by Google Authenticator and after this step we receive a message that indicates "Confluence is requesting permission to do the following: Authenticate using OpenID Connect" by clicking on Allow we receive another message indicating "Confluence is requesting permission to do the following: Requested transaction #[Random Number] approval for the amount of sum $[Random Cost], after click on Allow we receive the following error: An unexpected error occurred in response. Seems like configuration issue. Please check your provider settings. Could you please help us in this case? Kind Regards, Raman Chinnanpour

By Aliaksandr Samuseu staff 21 Oct 2019 at 12:04 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, Raman. Thanks for the detailed description, but it's hard to understand how exactly the flow proceeds. Please provide a HAR file with its trace so we could see it clearly. You can use steps listed [here](https://www.inflectra.com/support/knowledgebase/kb254.aspx) - please use Firefox for that task, Chrome's HARs are flawed. Also don't forget to set "Persist log" and "Disable cache" checkboxes in the console to save everything, not just the recently loaded page. Also, you could consider recording a video of the whole process. So far, it was my understanding that flow actually goes back to Confluence in the end, i.e. Gluu Server seem to do its job without obvious issues, and then Confluence fails to finish the flow. Please note that we offer limited support for configuring 3rd party software within Community support. In addition, consider next kind of test: 1. In your main browser, log in to web UI and go to "Manage authentication -> Default Authentication Method" page 2. Set "oxTrust acr" property to the auth method you try to configure ("otp" will be my guess) 3. In your another web browser, try to login to admin web UI; you should be challenged with 2FA auth method you set before; if it works and you are logged in to web UI, even more reasons to think that issue is within your RP software

By Raman Chinnanpour user 23 Oct 2019 at 9:29 a.m. CDT

Raman Chinnanpour gravatar
HI Aliaksandr Samuseu, Thank you for your reply. Actually I have checked some log files in Confluence server and I think as you mentioned in the last message, the Gluu server do its job without problem. The problem is we can't enter the Gluu server Authorize Endpoint URL with FQDN name in the miniOrange OAuth configuration section, so we have to use the Gluu server IP address in the URL which causes Confluence (RP) does not receive any response from Gluu server (OP) when user authenticated. We've already sent an email to the miniOrange support team and explained the issue. We would like to be sure if the Gluu server and miniOrange OAuth/OpenID Connect plugin are working well so please don't close this ticket. I will provide you with the new information from miniOrange support team. Thank you again for your support. Kind Regards, Raman

By Aliaksandr Samuseu staff 01 Nov 2019 at 7:13 a.m. CDT

Aliaksandr Samuseu gravatar
Hi, Raman. Any updates from miniOrange so far?

By Aliaksandr Samuseu staff 05 Nov 2019 at 1:18 p.m. CST

Aliaksandr Samuseu gravatar
Hi, Raman. Have you heard from them so far? Do you still need the ticket to stay open?

By Raman Chinnanpour user 06 Nov 2019 at 3:12 a.m. CST

Raman Chinnanpour gravatar
Hi Aliaksandr, I'm so sorry for the late reply. Yes, I explained the bug to the miniOrange Team and they have fixed it. Actually, that didn't work again, so I tried to monitor Confluence log files with Debug level and I realized that Gluu server is sending username attribute as "user_name" then I adjusted username field in miniOrange OpenID plugin to match Gluu server username attribute and after that it starts working fine. We have encountered another problem which we couldn't logout from Confluence so I set "https://gluu-srv.debln01.loc/identity/authentication/finishlogout" as Custom Logout URL in miniOrange plugin and now we can logout from Confluence. However, I'm not sure if this is the correct Logout URL that we should use because I just found this url in Gluu server --> JSON Configuration --> oxTrust Configuration and as I know oxAuth Configuration is the right place to pick up the OpenID Connect config information. Could you please confirm that this is the right one? or we should use another Logout URL for this purpose? Kind Regards, Raman

By Mohib Zico staff 06 Nov 2019 at 7:52 a.m. CST

Mohib Zico gravatar
Hi Raman, For proper OpenID connect logout, you should use `/end_session`. It's something like `end_session_endpoint: "https://[your_gluu_server_hostname]/oxauth/restv1/end_session"` Endpoint lists are available in `https://[your_gluu_server_hostname]/.well-known/openid-configuration` location.

By Aliaksandr Samuseu staff 06 Nov 2019 at 9:46 a.m. CST

Aliaksandr Samuseu gravatar
Hi, Raman. Please see Zico's comment above. If it still won't resolve your logout issue, please create another ticket for it. Let's not deviate from the original topic of this one.

By Raman Chinnanpour user 06 Nov 2019 at 11:40 a.m. CST

Raman Chinnanpour gravatar
Hi Dear Mohib and Aliaksandr, Thank you so much for your support. Actually, session endpoint does not work properly. Please close this ticket. Best Regards, Raman