Home / Secure Access / Confluence Data Center
Knowledge Management
X-Forwarded-User
Zero-Day Shield

SSO + Zero-Day Protection for Confluence Data Center

by Atlassian

Secure Confluence with SAML/OIDC SSO via Authenticated Proxy — Shield Internal Knowledge from Zero-Day Exploits

Start Free Trial See How It Works
Overview

Why Confluence Data Center Needs an Authenticated Proxy

Confluence Data Center is a widely deployed enterprise wiki and knowledge management platform. It contains internal documentation, architecture diagrams, runbooks, security procedures, HR policies, and often sensitive business data. Confluence has been a frequent target of critical zero-day vulnerabilities — including CVEs actively exploited by nation-state actors and ransomware groups. OnePAM adds an authenticated proxy layer in front of Confluence, ensuring every request passes through identity verification. Users authenticate via your corporate IdP, OnePAM injects trusted headers, and Confluence accepts the pre-authenticated session. Zero-day exploits cannot be reached by unauthenticated attackers, and your internal knowledge base is protected by enterprise-grade SSO and access controls.

HTTP Header Authentication
X-Forwarded-User

Confluence Data Center supports proxy authentication via trusted HTTP headers. OnePAM injects the X-Forwarded-User header with the authenticated identity, and Confluence creates or maps the user session automatically.

Zero-Day Risk Profile

Confluence Data Center Vulnerability Risks

Without an authenticated proxy, these risks are directly exploitable by any network-reachable attacker.

Confluence has had actively exploited zero-day RCE vulnerabilities (CVE-2023-22515, CVE-2022-26134)
Internal documentation exposes architecture, procedures, and security controls
Confluence macros and user-submitted content can contain exploit payloads
Confluence APIs allow bulk extraction of organizational knowledge
The Challenge

Security Challenges with Confluence Data Center

These are the risks organizations face when Confluence Data Center is not behind an authenticated proxy.

Critical Zero-Day Target

Confluence is among the most exploited enterprise applications. Nation-state actors and ransomware groups actively target unpatched Confluence instances.

Knowledge Exposure

Confluence contains architecture diagrams, security procedures, and sensitive business data that attackers can use for further exploitation.

Macro Vulnerabilities

User-created macros and third-party Marketplace apps introduce code execution risks within the Confluence environment.

Slow Patch Deployment

Confluence Data Center upgrades require careful testing. Organizations often run weeks or months behind on critical security patches.

Complex SSO Configuration

Confluence Data Center SAML SSO requires Atlassian Access licensing and complex identity federation setup.

Space Permission Management

Managing space-level permissions for hundreds of Confluence spaces across teams and projects is operationally intensive.

The OnePAM Solution

How OnePAM Adds SSO + Zero-Day Protection to Confluence Data Center

A step-by-step guide to deploying OnePAM's authenticated proxy in front of Confluence Data Center.

1

Deploy OnePAM as Confluence's Proxy

Place OnePAM in front of Confluence Data Center, intercepting all HTTPS traffic.

Confluence's Tomcat server is configured to accept connections only from OnePAM. The Confluence login page is never directly accessible from the network.
2

Configure Your IdP

Connect OnePAM to your SAML 2.0 or OIDC identity provider.

OnePAM manages the complete authentication flow: IdP redirect, MFA enforcement, assertion validation, and session lifecycle.
3

Enable Proxy Authentication

Configure Confluence to trust the X-Forwarded-User header from OnePAM for pre-authenticated sessions.

Users are authenticated by OnePAM before any request reaches Confluence. Confluence creates user sessions from the trusted identity header.
4

Map Spaces to IdP Groups

OnePAM passes IdP group memberships, enabling automatic Confluence space permission assignment.

Engineering teams see technical spaces, HR sees people spaces, executives see strategy spaces — all managed from your IdP.
5

Shield and Audit

Block zero-day exploitation while generating compliance-ready access audit trails.

Every Confluence access event is logged with full IdP context. Session recording captures documentation access for compliance and security investigations.
Business Impact

Benefits of Securing Confluence Data Center with OnePAM

Measurable security and operational outcomes from deploying OnePAM in front of Confluence Data Center.

Block Active Zero-Day Exploits

Confluence zero-day CVEs cannot be exploited when OnePAM enforces authentication. No unauthenticated traffic reaches Confluence.

CVE exploitation prevented

Patch on Your Schedule

OnePAM buys you time to test and deploy Confluence patches without leaving your instance exposed to active exploitation.

Reduced patch urgency

SSO Without Atlassian Access

Enterprise SSO for Confluence without Atlassian Access per-user licensing costs.

Save on licensing costs

Protect Organizational Knowledge

Internal documentation, architecture diagrams, and security procedures are only accessible to authenticated users.

Knowledge base secured

Instant Deprovisioning

Disable a user in your IdP and Confluence access stops immediately. No manual space permission cleanup.

Real-time revocation

Unified Atlassian Access

One OnePAM deployment handles SSO for Confluence, Jira, and Bitbucket with consistent security policies.

One proxy for all Atlassian
SSO Features

Confluence Data Center SSO Capabilities

Every feature needed to provide enterprise-grade SSO and access control for Confluence Data Center.

SAML 2.0 & OIDC SSO via proxy header authentication
IdP group to Confluence space permission mapping
Session recording for compliance audits
IP and geo-restriction for knowledge base access
Device trust verification
REST API access policies and auditing
Concurrent session controls
Auto-provisioning users from IdP
Cross-application SSO (Confluence + Jira + Bitbucket)
Content export/download access controls
Security

Zero-Day Protection Features

Enterprise-grade security controls that shield Confluence Data Center from exploitation.

Confluence isolated from direct network access
End-to-end TLS encryption
Request-level identity verification
Protection against Confluence zero-day CVEs
Macro execution context isolation
Automatic session termination on IdP sign-out
Real-World Scenarios

Confluence Data Center SSO + Security Use Cases

Common scenarios where organizations deploy OnePAM in front of Confluence Data Center.

1
Engineering teams accessing technical documentation via corporate SSO
2
HR teams managing employee handbooks with restricted access
3
Security teams protecting incident response runbooks with MFA and session recording
4
External partners accessing specific spaces with time-limited, audited sessions
5
Protecting internet-facing Confluence from zero-day exploitation
6
Compliance-driven documentation access auditing for regulated industries
Frequently Asked Questions

Confluence Data Center SSO + Security FAQ

Common questions about deploying OnePAM's authenticated proxy for Confluence Data Center.

How does OnePAM protect against Confluence zero-day exploits?

OnePAM ensures that every request to Confluence is authenticated. The majority of Confluence zero-day CVEs (including CVE-2023-22515 and CVE-2022-26134) require unauthenticated network access to exploit. OnePAM blocks all unauthenticated traffic before it reaches Confluence.

Can we still have anonymous Confluence spaces?

Yes. OnePAM supports path-based policies. Specific spaces or pages can be configured for public/anonymous access while the rest of Confluence requires SSO. However, for maximum security, we recommend requiring authentication for all access.

Do we need Atlassian Access licensing?

No. OnePAM provides SSO at the proxy layer, making Atlassian Access unnecessary. This eliminates per-user licensing costs for SSO and centralized authentication.

What about Confluence REST API and mobile access?

OnePAM supports separate policies for API endpoints. Mobile apps using REST APIs can authenticate via API tokens, while interactive web sessions require full SSO. You define the policy per path.

Can OnePAM protect both Confluence and Jira?

Yes. A single OnePAM deployment can proxy multiple Atlassian applications with different access policies, all using the same IdP configuration.
Also Supported

SSO + Zero-Day Protection for Other Applications

OnePAM adds authenticated proxy protection to all these applications — same approach, zero code changes.

Jenkins
CI/CD Automation · X-Forwarded-User
Grafana
Observability & Monitoring · X-WEBAUTH-USER
Kibana
Log Analytics & SIEM · X-Proxy-User / es-security-runas-user
GitLab Self-Managed
DevOps Platform · X-Forwarded-User / REMOTE_USER
SonarQube
Code Security & Quality · X-Forwarded-Login
Apache Guacamole
Clientless Remote Desktop · N/A (native protocol)
Jira Data Center
Project Management · X-Forwarded-User
pgAdmin
Database Management · X-Forwarded-User / REMOTE_USER
Rundeck
Operations Automation · X-Forwarded-User / REMOTE_USER
Harbor
Container Registry · X-Forwarded-User / X-Forwarded-Groups
Zabbix
Infrastructure Monitoring · X-Forwarded-User / PHP_AUTH_USER
Nexus Repository
Artifact Management · X-Forwarded-User / REMOTE_USER
Wiki.js
Modern Wiki Platform · X-Forwarded-User / Authorization
Prometheus
Metrics & Monitoring · X-Forwarded-User (proxy-level auth)
MinIO
Object Storage · X-Forwarded-User / Authorization
Portainer
Container Management · X-Forwarded-User
Apache Airflow
Workflow Orchestration · REMOTE_USER
Apache Superset
Business Intelligence · REMOTE_USER
Gitea
Git Hosting · X-WEBAUTH-USER
Mattermost
Team Messaging · X-Forwarded-User / X-Forwarded-Email
Redmine
Project Management · REMOTE_USER
NetBox
Network DCIM / IPAM · REMOTE_USER / HTTP_REMOTE_USER
AWX / Ansible Automation Platform
IT Automation · REMOTE_USER / X-Forwarded-User
phpMyAdmin
Database Administration · REMOTE_USER / PHP_AUTH_USER
Argo CD
GitOps & Continuous Delivery · X-Forwarded-User / Argocd-User-Info
n8n
Workflow Automation · X-Forwarded-User / X-n8n-User
HashiCorp Consul
Service Mesh & Discovery · X-Forwarded-User (proxy-level auth)
HashiCorp Vault UI
Secrets Management · X-Forwarded-User (defense-in-depth)
Rancher
Kubernetes Management · X-Forwarded-User / Authorization
Backstage
Developer Portal · X-Forwarded-User / Authorization
Outline
Team Knowledge Base · X-Forwarded-User / Authorization
Uptime Kuma
Uptime Monitoring · X-Forwarded-User (proxy-level auth)
WeKan
Project Management · X-Forwarded-User / HTTP-REMOTEUSER
Traefik Dashboard
Reverse Proxy & Ingress · X-Forwarded-User (via ForwardAuth)
Drone CI
CI/CD Automation · X-Forwarded-User
Metabase
Business Intelligence · X-Forwarded-User
JupyterHub
Data Science & ML · REMOTE_USER / X-Forwarded-User
code-server (VS Code)
Cloud IDE · X-Forwarded-User
BookStack
Documentation & Wiki · REMOTE_USER
Keycloak Admin Console
Identity & Access Management · X-Forwarded-User
Proxmox VE
Virtualization & Hypervisor · X-Forwarded-User
Semaphore UI
Automation & Configuration · X-Forwarded-User
Authentik
Identity & Access Management · X-Forwarded-User
Node-RED
IoT & Workflow Automation · X-Forwarded-User
Woodpecker CI
CI/CD Automation · X-Forwarded-User
NocoDB
No-Code Database · X-Forwarded-User
Homer Dashboard
Service Dashboard · X-Forwarded-User
OpenProject
Project Management · X-Forwarded-User / REMOTE_USER

Ready to Secure Confluence Data Center with SSO + Zero-Day Protection?

Deploy OnePAM in minutes — no Confluence Data Center code changes required. Start your free 14-day trial today.

Start Free Trial View All Supported Apps