Bitbucket SAML JIT provisioning fails with error 'Attribute [userGroups] could not be found' due to multiple user group memberships in Azure AD

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Just-in-time user provisioning (JIT provisioning) allows users to be created and updated automatically when they log in through SAML SSO or OpenID Connect (OIDC) SSO to Bitbucket and other Atlassian Data center applications. In some cases, users are not created by the JIT provisioning feature in Bitbucket when integrating with Azure SSO/SAML.

Environment

  • Bitbucket 8.X , 9.X

  • Observed in Azure SSO/SAML integration

Diagnosis

  • The error 'Attribute [userGroups] could not be found' is shown in <BITBUCKET_HOME>/log/atlassian-bitbucket* log file(s) as shown below:

    1 2 3 4 5 2024-09-25 04:03:29,765 ERROR [http-nio-7990-exec-2 url: /plugins/servlet/samlconsumer] @WT5CNx243x5884973x0 XX.XXX.X.XXX,XXX.XX.X.XXX "POST /plugins/servlet/samlconsumer HTTP/1.1" c.a.p.a.s.w.f.ErrorHandlingFilter [UUID: XXXXX-XX-XX-XX-XXX] Attribute [userGroups] could not be found com.atlassian.plugins.authentication.sso.web.usercontext.impl.jit.JitException: Attribute [userGroups] could not be found at com.atlassian.plugins.authentication.sso.web.usercontext.impl.jit.mapping.SamlUserDataFromIdpMapper.mapGroups(SamlUserDataFromIdpMapper.java:56) at com.atlassian.plugins.authentication.sso.web.usercontext.impl.jit.mapping.SamlUserDataFromIdpMapper.mapUser(SamlUserDataFromIdpMapper.java:28) at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:105)

  • Confirm the 'Group Claims' settings in Azure AD and ensure that the user groups can be returned.

  • Extract the SAML response and check the attributes returned

    Sample SAML Response

    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 {code:java} <samlp:Response ID="ZZZZ-eaf9-4711-a37c-YYYYY" Version="2.0" IssueInstant="2024-09-27T00:55:45.035Z" Destination="https://XXXXXX/plugins/servlet/samlconsumer" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> https://ZZZZZ/a00035bc-d628-4788-97c4-HHHHHH/ </Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <Assertion ID="_263730df-bdd2-45d3-aa2e-XXXXXXXXXX" IssueInstant="2024-09-27T00:55:44.989Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> <Issuer> https://ZZZZZ/a00035bc-d628-4788-97c4-bbfbf70f3e7a/ </Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <Reference URI="#XUXUXUUXU-bdd2-45d3-aa2e-c9a4b1094300"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <DigestValue> XYXYXYXYYSJSKKLSJSKKS= </DigestValue> </Reference> </SignedInfo> <SignatureValue> XXXXXXXXXXXXX== </SignatureValue> <KeyInfo> <X509Data> <X509Certificate> XXXXXYYYYYZZZZZGGGGGGCCCCCC </X509Certificate> </X509Data> </KeyInfo> </Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName"> sssss.mmmmmm </NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData NotOnOrAfter="2024-09-27T01:55:44.720Z" Recipient="https://XXXXXX/plugins/servlet/samlconsumer"/> </SubjectConfirmation> </Subject> <Conditions NotBefore="2024-09-27T00:50:44.720Z" NotOnOrAfter="2024-09-27T01:55:44.720Z"> <AudienceRestriction> <Audience> https://XXXXXX </Audience> </AudienceRestriction> </Conditions> <AttributeStatement> <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid"> <AttributeValue> XXXXXXXX-DDSSS-DDDDDD-FFFFF-XXXXXXX </AttributeValue> </Attribute> <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier"> <AttributeValue> CCCCC-SSWWWW-EEEEE-DDDDD-XXXXXXXx </AttributeValue> </Attribute> <Attribute Name="http://schemas.microsoft.com/claims/groups.link"> <AttributeValue> https://graph.windows.net/XXXXX-d628-4788-97c4-XXXXXX/users/XXXXXX-24fd-40a2-91cb-DDDDDD/getMemberObjects </AttributeValue> </Attribute> <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider"> <AttributeValue> https://ZZZZZ/a00035bc-d628-4788-97c4-bbfbf70f3e7a/ </AttributeValue> </Attribute> <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences"> <AttributeValue> http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password </AttributeValue> <AttributeValue> http://schemas.microsoft.com/claims/multipleauthn </AttributeValue> </Attribute> <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/wids"> <AttributeValue> XXXXXXX-3ef9-4689-8143-FFFFFFF </AttributeValue> </Attribute> <Attribute Name="firstName"> <AttributeValue> aaaa </AttributeValue> </Attribute> <Attribute Name="lastName"> <AttributeValue> bbbbb </AttributeValue> </Attribute> <Attribute Name="email"> <AttributeValue> cccc@xxx.com </AttributeValue> </Attribute> </AttributeStatement> <AuthnStatement AuthnInstant="2024-09-26T21:29:14.557Z" SessionIndex="DSSSSEEE-bdd2-45d3-aa2e-c9a4b1094300"> <AuthnContext> <AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:Password </AuthnContextClassRef> </AuthnContext> </AuthnStatement> </Assertion> </samlp:Response> {code}

  • The group attribute value is returned in the form of a link

    1 2 3 4 5 6 <Attribute Name="http://schemas.microsoft.com/claims/groups.link"> <AttributeValue> https://graph.windows.net/a00035bc-d628-XXXXX-97c4-bbfbf70f3e7a/users/5c91b478-24fd-40a2-91cb-XXXXXX/getMemberObjects </AttributeValue> </Attribute>

Cause

Thegroups.link attribute in the SAML response is used when a user is a member of more that 150 groups. In such cases, instead of listing all the groups in the SAML response, Azure AD provides a link to a Microsoft Graph API endpoint that can be used to retrieve the group memberships . The Azure SAML tokens documentation has more details:

If the number of groups the user is in goes over a limit (150 for SAML, 200 for JWT) then an overage claim will be added the claim sources pointing at the Graph endpoint containing the list of groups for the user.

Below is a sample response of a user belonging to a larger number of groups.

1 2 3 4 5 <Attribute Name="http://schemas.microsoft.com/claims/groups.link"> <AttributeValue> https://graph.windows.net/a00035bc-d628-XXXXX-97c4-bbfbf70f3e7a/users/5c91b478-24fd-40a2-91cb-XXXXXX/getMemberObjects </AttributeValue> </Attribute>

Solution

Solution 1

Solution 2

  • Reduce the number of group memberships the user belongs to to less than 150.

Solution 3

  • In the group claims settings, the user's group memberships can be restricted to only the groups assigned to Bitbucket (groups assigned to the application) to reduce the number of groups returned.

Updated on March 19, 2025
Platform
Data Center only
Product
Bitbucket Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community