Authentication in Confluence with DUO as MFA triggers an endless loop for new users

Summary

Configured Confluence with DUO Authentication as MFA (Multi Factor Authentication), when a new user tries to login, it hits an endless loop of authentication between Confluence and DUO.

Cause

If collected a HAR file, the following pattern will be observed in the requests done by the browser:

1. Initial GET request to https://confluence.example.com/login.action

2. Confluence POST action to https://confluence.example.com/dologin.action

3. Redirects to https://api-XXXXXXXX.duosecurity.com/oauth/v1/authorize

4. After a successful authorization in DUO, the user is redirected to https://confluence.example.com/index.action

5. Confluence, redirects this new user to https://confluence.example.com/welcome.action

6. And this triggers a new redirection to https://api-XXXXXXXX.duosecurity.com/oauth/v1/authorize, triggering an endless loop

Solution

First of all, review the DUO Documentation for Confluence and ensure everything is correct as per DUO requirements.

If everything is correct, and this issue only affects to new users, follow the steps documented in How to skip the onboarding page (welcome.action) for new users in Confluence Data Center to avoid the /welcome.action page to redirect again to DUO.

1. Go to Manage apps.

2. Choose System from the drop-down menu.

3. Search for "confluence-onboarding".

4. Expand all modules.

5. Disable the Onboarding Filter.

6. After disabling, new users won't be redirected to the /welcome.action page the first time they log into Confluence. Instead, they will be redirected to the Confluence Dashboard.