Authentication in Confluence with DUO as MFA triggers an endless loop for new users
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Configured Confluence with DUO Authentication as MFA (Multi Factor Authentication), when a new user tries to login, it hits an endless loop of authentication between Confluence and DUO.
Cause
If collected a HAR file, the following pattern will be observed in the requests done by the browser:
- Initial GET request to https://confluence.example.com/login.action
- Confluence POST action to https://confluence.example.com/dologin.action
- Redirects to https://api-XXXXXXXX.duosecurity.com/oauth/v1/authorize
- After a successful authorization in DUO, the user is redirected to https://confluence.example.com/index.action
- Confluence, redirects this new user to https://confluence.example.com/welcome.action
- And this triggers a new redirection to https://api-XXXXXXXX.duosecurity.com/oauth/v1/authorize, triggering an endless loop
Solution
First of all, review the DUO Documentation for Confluence and ensure everything is correct as per DUO requirements.
If everything is correct, and this issue only affects to new users, follow the steps documented in How to skip the onboarding page (welcome.action) for new users in Confluence to avoid the /welcome.action page to redirect again to DUO.
- Go to Manage apps.
- Choose System from the drop-down menu.
- Search for "confluence-onboarding".
- Expand all modules.
- Disable the Onboarding Filter.
- After disabling, new users won't be redirected to the /welcome.action page the first time they log into Confluence. Instead, they will be redirected to the Confluence Dashboard.