Enterprise Application Access (EAA) uses single sign-on (SSO) authentication. SSO allows users to authenticate into the Enterprise Application Access service once to gain access to all of their applications, without having to log in again to each application individually. When you add an application to Enterprise Application Access, SSO is enabled by default.

Enterprise Application Access (EAA) Cloud supports single sign-on (SSO) to Atlassian applications, like Confluence, and JIRA, with use of the custom headers insertion, which lets access the Atlassian application through the Enterprise Application Access Cloud service without the need to authenticate again for any specific application.

Additional security such as two factor authentication (2FA) and multi-factor authentication (MFA) can be layered on top of the SSO authentication.

📘
If SSO does not seem to be working properly, check the SSO configuration in the native application.

Use single sign-on (SSO) authentication for Atlassian Confluence

Prerequisite:
The Confluence application running and integrated into your Active Directory (AD) or OpenLDAP server.

You can use your Active Directory (AD) or OpenLDAP server to authenticate all the users and have immediate access to applications secured through Enterprise Application Access Cloud. This integration sends the X-forwarded-for custom headers to an application for SSO.

Download the latest version of the HTTP Authenticator for Confluence.
Copy the downloaded remoteUserAuth-2.5.0.jar file to the following location in your Confluence installation:
- For Linux OS:/usr/local/confluence/confluence/WEB-INF/lib
- For Windows OS: Users/C:/Program Files/confluence/confluence/WEB-INF/lib
The version number in this example is 2.5.0. You may have a different, later version number when you download the file.
Download the remoteUserAuthenticator.properties text file from github confluence_http_authenticator.
Move the remoteUserAuthenticator.properties file to your Confluence installation:
- For Linux OS:/usr/local/confluence/confluence/WEB-INF/classes
- For Windows OS: Users/C:/Program Files/confluence/confluence/WEB-INF/classes
Edit the remoteUserAuthenticator.properties file (with administrative rights) and change the following lines to send remote headers for SSO:
1. Change header.remote_user=REMOTE_USER to header.remote_user=user_name.
2. Comment out the line #header.email=CONF_EMAIL.
3. Comment out the line #header.fullname=CONF_FULLNAME.

Save the file.

#semicolon-delimited list.
#
# Note: if fullname mapping is used (see below) then it will try
using that first to get the full name using this header.

#
# Each supports a strategy to get this value. All default to 0.
Strategy codes mean the following:
# 0 - Try request.getAttribute then request.getHeader
# 1 - Use request.getAttribute
# 2 - Use request.getHeader
header.remote_user=user_name
#header.remote_user.strategy=0
#header.email=CONF_EMAIL
#header.email.strategy=0
#header.fullname=CONF_FULLNAME
#header.fullname.strategy=0
#

Edit the seraph-config.xml file at this location in your Confluence installation: /usr/local/confluence/confluence/WEB-INF/classes/seraph-config.xml and replace the following line <authenticator class="com.atlassian.confluence.user.ConfluenceAuthenticator"/> with: <authenticator class="shibauth.confluence.authentication.shibboleth.RemoteUserAuthenticator"/>.
Save the file and restart the EAA Confluence application.
To configure the Enterprise Application Access (EAA) application log into the Enterprise Center.
In the Enterprise Center navigation menu select Application Access > Applications> Applications.
Select your Confluence application to open it.
In Settings > Advanced > Custom HTTP headers configure the following:
1. In Header Name enter user-name.
2. In Attribute select user.
Click Save and Deploy.

Use single sign-on (SSO) authentication for Atlassian JIRA

Prerequisite:
Confluence application running and integrated into your Active Directory (AD) or OpenLDAP server.

You can use your AD or OpenLDAP server to authenticate all the users and have immediate access to applications secured through EAA Cloud. This integration sends the X-forwarded-for custom headers to an application for SSO.

Download the latest version of the Atlassian JIRA SSO connector.
Copy the downloaded jar file to this location in your JIRA installation:
- For Linux OS:*/jira/WEB-INF/lib
- For Windows OS: *jira/WEB-INF/lib
Download the jiraRemoteUserAuthenticator.properties text file from https://github.com/UW-Madison-DoIT/jiraRemoteUserAuth/tree/master/conf.
Rename the file to RemoteUserAuthenticator.properties by removing jira from the file name, and save it to this location in your JIRA installation:
- For Linux OS: */jira/WEB-INF/classes
- For Windows OS: *jira/WEB-INF/classes
Edit the remoteUserAuthenticator.properties file (use administrative rights) and change these lines to send remote headers for SSO:
1. Change header.remote_user=REMOTE_USER to header.remote_user=user_name.
2. Comment out the line #header.email=CONF_EMAIL.
3. Comment out the line #header.fullname=CONF_FULLNAME.
Save the file.
Edit the seraph-config.xml file at this location in your Confluence installation /WEB-INF/classes/seraph-config.xml. Find and replace or comment out <authenticator class="com.atlassian.seraph.auth.DefaultAuthenticator"/> with: <authenticator class="shibauth.jira.authentication.shibboleth.RemoteUserAuthenticator"/>.
Save the file and restart the JIRA application.
To configure the Enterprise Application Access (EAA) application log into the Enterprise Center.
In the Enterprise Center navigation menu select Application Access > Applications> Applications.
Select your JIRA application to open it.
In Settings > Advanced > Custom HTTP headers configure the following:
1. In Header Name enter user-name.
2. In Attribute select user.
Click Save and Deploy.