Login issues related to single sign-on (SSO)

This document describes problems you might have when using Single Sign-On (SSO) with SAML to log in to your Atlassian account.

If you see errors from your identity provider, check with the provider's support and tools rather than Atlassian Support.

Unable to log in with single sign-on

Possible cause

Action you can take

There’s a few reasons why you may have trouble logging in with SAML single sign-on:

  • Your organization may no longer have a subscription to Atlassian Access, which is where SAML is set.

  • Your organization’s SAML single sign-on configuration may not be configured correctly.

Do either of the following:

  • Contact your organization admin to make sure they’re aware of the problem and so that they can suggest the best way to log in.

  • Log in using an Atlassian account password from the login page. If you don’t have a password, click the Can't log in? link to set one.

SAML error messages

The following table lists the error messages related to SAML problems:

Errors

Possible issues

A plain error screen with no Atlassian branding.

You might have network connectivity issues with your IdP. Try refreshing the page.

An error screen for your IdP. This may appear with one of the following error messages:

  • "The signed in user xxx is not assigned to a role for the application […] (Atlassian Cloud)."

  • Error 403: Disallowed user agent

  • Error 403: App not enabled for user

You might have an issue with your IdP configuration, e.g. a user may not be able to access the Atlassian product from the IdP. Contact your administrator or IdP to fix the issue.

"Your email address has changed at your Identity Provider. Ask your administrator to make a corresponding change on your Atlassian products."

A known issue with the SAML Beta. You'll soon be able to change the email addresses of your managed accounts from User management.

"We weren't able to log you in, but trying again will probably work."

SAML configuration was disabled for the user during the login process. Verify the SAML configuration and try again.

  • "We were expecting you to arrive with a different Identity Provider Entity Id. Ask your administrator to check the Atlassian configuration of SAML. You had xxx; but we were expecting xxx."

  • "Invalid issuer in the Assertion/Response"

The IdP Entity Id in the SAML configuration of your site administration may be incorrect. Verify that you're using the correct Entity Id and try again.

"xxx is not a valid audience for this Response"

The Service Provider Entity Id in the IdP SAML configuration may be incorrect. Verify that you're using the correct Entity Id and try again.

"The response was received at xxx instead of xxx"

The Service Provider Assertion Consumer Service URL in the IdP SAML configuration may be incorrect. Verify that you're using the correct URL and try again.

"The authenticated email address we were expecting was 'xxx', but we received 'xxx'. Please ensure they match exactly, including case sensitivity. Contact your administrator to change your email to match."

The user tried to log in to the IdP with an email address different from their Atlassian account email address. Verify that the user is logging in with the correct email address. Email addresses are also case sensitive.

  • "We were expecting an email address as the Name Id, but we got xxx. Please ask your administrator to check that Name Id is mapped to email address."

  • "We were expecting an email address as the Name Id, but didn't get one. Please ask your administrator to check that Name Id is mapped to email address."

  • "We were expecting a user ID, but didn't get one. Please ask your administrator to check that user ID is populated in the response. See the configuration and troubleshooting guide below."

  • "Unsupported SAML Version."

  • "Missing ID attribute on SAML Response."

  • "SAML Response must contain 1 Assertion."

  • "Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd"

  • "Invalid decrypted SAML Response. Not match the saml-schema-protocol-2.0.xsd"

  • "Signature validation failed. SAML Response rejected"

  • "No Signature found. SAML Response rejected"

  • "The Assertion of the Response is not signed and the SP requires it"

  • "The attributes have expired, based on the SessionNotOnOrAfter of the AttributeStatement of this Response"

  • "There is an EncryptedAttribute in the Response and this SP not support them"

  • "Timing issues (please check your clock settings)"

  • "The Response has an InResponseTo attribute: xxx while no InResponseTo was expected"

  • "The InResponseTo of the Response: xxx does not match the ID of the AuthNRequest sent by the SP: xxx"

You're most likely using an unsupported IdP. Verify your IdP configuration by making sure you've done the following:

  1. The IdP can return email as the NameId.

  2. A user Id is mapped as a SAML attribute.

  3. The SAML responses are signed and not encrypted.

  4. The IdP's time is synchronized with NTP.

 

Last modified on Jul 1, 2021
Cached at 8:46 AM on Aug 4, 2021 |

Additional Help

Ask the Community