Setting up AWS IAM Identity Center as an identity provider for Confluence

Julian Michel - Jul 1 - - Dev Community

AWS IAM Identity Center is a great tool for managing access to multiple AWS accounts in one centralized location. Users can assume roles in the AWS accounts they have access to and work in the AWS console or CLI.

It also supports single sign-on (SSO) capabilities to log in to some AWS services or third-party applications. One example of these applications is Confluence, which is widely used in enterprises. This blog post shows how to set up SSO in Confluence using AWS IAM Identity Center.

In what situations would you find this blog post useful?

  1. You want to use Identity Center's SSO capabilities in Confluence.
  2. You want to configure a source application for Amazon Q to test Q's security features (Q only uses information when a specific user has access to it)
  3. You want to learn more about SSO and SAML.

In my case, I want to set up the Confluence integration to get familiar with Amazon Q. I chose the Confluence data sources because Confluence supports page-specific permissions, which should also be handled in Q. I'm using the trial version of Confluence for my tests and this blog post.

Getting started: AWS IAM Identity Center

I assume that AWS IAM Identity Center is already configured. To integrate Confluence as an application, open AWS IAM Identity Center in the AWS console and select "Applications" in the navigation. Then, add a new application.

AWS IAM Identity Center: Add a new application

AWS offers a catalog of out-of-the-box integrations for more than 300 applications. Confluence is one of them, so choose it.
Select application from the catalog

Search for Confluence and select the result:
Search for Confluence

The next page provides a button to open step-by-step instructions for additional configuration assistance. Select this button to view these instructions. There are also options to change the name or description used in Identity Center.
Configure a new application in AWS IAM Identity Center

In the step-by-step instructions, you will find application-specific instructions to configure the integration. For example it shows which values have to be configured in Confluence and in Identity Center. Download the certificate and copy the URL (both URLs are the same). You will need this information later again when setting up the identity provider in Confluence.
Step-by-step instructions

Now proceed with the necessary steps in Confluence. Later, we will need to perform some additional configurations in AWS IAM Identity Center.

Confluence: Adding a domain

Open the Atlassian Admin by navigating to the URL https://admin.atlassian.com/. In Atlassian Admin, you can manage the settings required for Identity Center integration.

First, add the domain used by your users. Accounts in your domain can become managed accounts, which means you can use the SSO capabilities of Identity Center.

Confluence: Verify your company domain

Enter the domain name.
Enter the domain name

Before the domain can be associated, the ownership must be verified. I used DNS verification - feel free to use any of the other methods. For DNS validation, create the TXT record in the DNS management for your domain.
Domain DNS verification

Ensure that the status is set to verified. If it is not verified, check the domain verification again. Next, select "Claim accounts" to automatically claim new accounts under this domain.
Domains: Overview

Use the recommended "Automatically claim" option to claim new accounts from your domain.
Claim settings

Now "claim setting" is set to "Automatically".
Domain: claim setting automatically

Confluence: Create a identity provider

In the next step, we will create a identity provider and link it to AWS IAM Identity Center. In the security settings, select "Identity providers" and use "Other provider" as there is no specific integration for Identity Center.
Create identity provider type other identity provider

Confirm to start the free trial for Atlassian Guard to enable enterprise grade features.
Subscribe to Atlassian Guard

Enter a name for the identity provider, e.g. "AWS IAM Identity Center".
Identity provider name

Proceed with the SAML single sign-on integration.
SAML single sign-on integration

Read the notes, then continue to the next step.
Notes

Now paste the certificate and URL you copied during the application configuration in AWS IAM Identity Center.
Identity provider settings

In case you didn't copy the values, you can display them again.
AWS IAM Identity Center values

After you have configured the values in Confluence, the Confluence wizard will display two URLs that need to be copied to AWS IAM Identity Center.
Confluence identity provider URLS

In the Identity Center configuration, enter the URL of your Confluence instance and paste the two URLs you copied earlier.
Maintain configuration in AWS IAM Identity Center

Now continue in Confluence again. Select the previously created domain.
Select the domain created before

Stop the configuration wizard and save the SAML settings.
Save SAML settings

Confluence: Update authentication policy

As the final configuration step in Confluence, open the authentication policies and edit the newly created configuration (in my case, it is named "AWS IAM Identity Center").
Update authentication policy

Select the option "Enforce single sign-on".
Enforce single sign-on

AWS Identity Center: Assign users or groups

In Identity Center, add the users or groups that will be allowed to use the new application. I created a group and assigned all users to it.Identity Center: Users and groups

Testing the integration

Log in to the AWS IAM Identity Center with one of the users. You should see the newly created Confluence application. Open the application.

Identity Center: Confluence application

Your browser will open a new window and you will be automatically signed in to Confluence.
Confuence: Welcome

Summary

If everything is set up correctly, the Confluence integration with AWS IAM Identity Center works well. The step-by-step instructions are useful, but read the documentation provided by Atlassian if you encounter any issues. Be careful when copying configuration values/URLs. Don't mix up the different URLs - this can cause errors and SSO won't work.

The integration of Confluence with AWS IAM Identity Center is just one example - many other applications can be integrated as well. AWS IAM Identity Center can also be used if you need a free SAML or OAuth 2.0 identity provider for software development or any other use case.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .