Best Practices
- SAML authorization is only checked for a limited time. You need to make sure that the time of the computer running your app is in sync with the time of the IdP.
- If users and groups in your application are configured through a user directory , you typically want the user source directory to use the same LDAP directory as your IdP and Atlassian applications. Users need to exist in the user directory branch to log in using SSO.
Troubleshooting
- If you misconfigured SAML charging, or can't log in to your IdP. You can restore your login authorization by deleting the request (configured with a username and password for an admin user in your user directory).
curl -u admin_user:admin_password -X DELETE http://base-url/product/rest/authconfig/1.0/saml - If an authorization error occurs, the user will only see basic error messages. For security reasons, specific information about the error will not be displayed, you need to check the application's logs to find out the specific reason for the error and what the problem is.
- In some cases, you may see your IdP display an error message. In this case, you need some IdP diagnostic tools to identify the problem with your IdP, which Atlassian does not provide related services.
- When using Use SAML as primary authentication and you also have CAPTCHA enabled, using HTTP for basic authorization (eg in REST resource calls) may lock the user out if the user enters the wrong username and password Too much information. In this case, a system administrator needs to enter the background to reset the count of user login errors.
https://www.cwiki.us/display/CONFLUENCEWIKI/SAML+SSO+for+Confluence+Data+Center