Password authentication is, by default, delegated from Seraph to the user management system. If you use a Single sign-on (SSO) system this might not be necessary. The authenticator gets all the necessary credentials from your SSO provider.

Seraph is an open source framework developed by Atlassian and almost all authentication in Confluence is done using this framework. The goal of Seraph is to provide a simple, extensible authentication system that can be used on any application server.

Seraph is implemented as a filter. Filters dynamically intercept every authentication request and response to your application and use and transforms the information in the request or response. The purpose of Seraph is to associate the request with a particular user (or no user if the request is anonymous). Seraph supports HTTP Basic Authentication and form-based authentication, and can look up credentials already stored in the user's session.

Seraph itself isn't used for user management. It only checks the credentials of the incoming requests and delegates any user management functions, including finding the users and checking a user's password.

If you want to integrate Confluence with your own SSO infrastructure, you can write your own Seraph authenticator. See http://docs.atlassian.com/atlassian-seraph for more information on Seraph.