How to switch SAML from the primary to the secondary authentication method in the database
Purpose
In some cases it may be necessary to switch from using SAML as the primary authentication method, to using it as the secondary authentication method. This change makes it possible to use the standard login method and bypass the SAML redirection and authentication. This is particularly useful in lower environments such as staging, UAT, and development.
Normally, this is done by going to > General Configuration > SAML Authentication and simply selecting the desired role there.
This only applies to the built-in SAML SSO plugin in Confluence 6.1+
However, if a test environment was created from a clone of production, you may experience a problem with SAML where the redirect to the SAML IdP for authentication returns the client back to the production instance, instead of the new test instance.
Solution
- Backup your new environment's database
-
Always back up your data before performing any modifications to the database. If possible, test any alter, insert, update, or delete SQL commands on a staging server first.
-
- Connect to the Confluence database
Before making changes, confirm your current configuration is using the built-in SAML plugin as the primary authentication method:
select * from bandana where bandanakey like 'com.atlassian.plugins.authentication.sso.config.redirect-on-login';
If SAML SSO is the primary authentication method, the above query will return a value of 'true' as this example shows:
select * from bandana where bandanakey like 'com.atlassian.plugins.authentication.sso.config.redirect-on-login'; bandanaid | bandanacontext | bandanakey | bandanavalue -----------+----------------+-------------------------------------------------------------------+------------------------ 1671204 | _GLOBAL | com.atlassian.plugins.authentication.sso.config.redirect-on-login <string>true</string> (1 row)
A value of 'false' would indicate SAML SSO is being used as the secondary authentication method.
To switch SAML SSO from the primary to the secondary authentication method, execute the following SQL:
update bandana set bandanavalue = '<string>false</string>' where bandanakey like 'com.atlassian.plugins.authentication.sso.config.redirect-on-login';
Verify the change was implemented by running the following query (result should read 'false' as in the example below):
select * from bandana where bandanakey like 'com.atlassian.plugins.authentication.sso.config.redirect-on-login'; bandanaid | bandanacontext | bandanakey | bandanavalue -----------+----------------+-------------------------------------------------------------------+------------------------ 1671204 | _GLOBAL | com.atlassian.plugins.authentication.sso.config.redirect-on-login | <string>false</string> (1 row)
Restart Confluence for the change to take effect
After the restart, you may now login to Confluence via the normal method of username/password
For SSO for Atlassian Data Center plugin version 4.1.x and older...
We have seen some cases where Confluence instances running versions at or before 7.4.x were running older versions of the SSO for Atlassian Server and Data Center bundled plugin, where the bandanakey above was not found on the database.
On that case, the bandanakey is slightly different, which can be found as below:
select * from bandana where bandanakey like 'com.atlassian.plugins.authentication.samlconfig.redirect-on-login';
An the update SQL should be the one below:
update bandana set bandanavalue = '<string>false</string>' where bandanakey like 'com.atlassian.plugins.authentication.samlconfig.redirect-on-login';