Bitbucket Login error "The Response has an InResponseTo attribute: ONELOGIN while no InResponseTo was expected"
Platform Notice: Data Center Only - This article only applies to Atlassian apps on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Bitbucket users may receive an error "You could not log in. There could be several reasons for this. Please try again." while trying to login via SSO.
The logs show error: "Received invalid SAML response: The Response has an InResponseTo attribute: ONELOGIN_A4e540dAA-3da4-1234-5678-8fc78c561234 while no InResponseTo was expected"
Environment
The solution has been validated in Bitbucket Data Center 8.16.2 and 8.19.3, but may be applicable to other versions. This affects Bitbucket Data Center running with:
SSO Integration with Microsoft Azure/Entra
Reverse proxy or WAF
Diagnosis
The following error will appear in the atlassian-bitbucket.log file:
2024-02-08 10:10:00,310 ERROR [http-nio-7990-exec-2] @918LDWx609x6736x0 userid "POST /plugins/servlet/samlconsumer HTTP/1.1" c.a.p.a.s.w.f.ErrorHandlingFilter [UUID: feaf9e57-ed73-4e93-be05-3315de969b36] Received invalid SAML response: The Response has an InResponseTo attribute: ONELOGIN_a7a4ed04-7599-48cb-aba9-2f5749e9d09e while no InResponseTo was expected
com.atlassian.plugins.authentication.sso.web.saml.provider.InvalidSamlResponse: Received invalid SAML response: The Response has an InResponseTo attribute: ONELOGIN_a7a4ed04-7599-48cb-aba9-2f5749e9d09e while no InResponseTo was expected
at com.atlassian.plugins.authentication.sso.web.saml.provider.impl.OneloginJavaSamlProvider.lambda$extractSamlResponse$1(OneloginJavaSamlProvider.java:97)
at com.atlassian.plugin.util.ContextClassLoaderSwitchingUtil.runInContext(ContextClassLoaderSwitchingUtil.java:48)
at com.atlassian.plugins.authentication.sso.web.saml.provider.impl.OneloginJavaSamlProvider.extractSamlResponse(OneloginJavaSamlProvider.java:88)
at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:98)
at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
at com.atlassian.analytics.client.filter.UniversalAnalyticsFilter.doFilter(UniversalAnalyticsFilter.java:75)
at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:33)
at com.atlassian.plugins.authentication.sso.web.filter.ErrorHandlingFilter.doFilterInternal(ErrorHandlingFilter.java:79)
at com.atlassian.plugins.authentication.sso.web.filter.AbstractJohnsonAwareFilter.doFilter(AbstractJohnsonAwareFilter.java:29)
at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42)
at com.atlassian.bitbucket.internal.ratelimit.servlet.filter.RateLimitFilter.doFilter(RateLimitFilter.java:75)
at com.opensymphony.sitemesh.webapp.SiteMeshFilter.obtainContent(SiteMeshFilter.java:181)
at com.opensymphony.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:85)
at com.atlassian.plugin.connect.plugin.auth.scope.ApiScopingFilter.doFilter(ApiScopingFilter.java:81)
at com.atlassian.troubleshooting.thready.filter.AbstractThreadNamingFilter.doFilter(AbstractThreadNamingFilter.java:46)
at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42)
at com.atlassian.stash.internal.web.auth.AuthorizationFailureInterceptor.doFilterInternal(AuthorizationFailureInterceptor.java:39)
at com.atlassian.stash.internal.spring.security.StashAuthenticationFilter.doFilter(StashAuthenticationFilter.java:110)
at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doInsideSpringSecurityChain(BeforeLoginPluginAuthenticationFilter.java:112)
at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:75)
at com.atlassian.security.auth.trustedapps.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:94)
at com.atlassian.oauth.serviceprovider.internal.servlet.OAuthFilter.doFilter(OAuthFilter.java:67)
at com.atlassian.oauth2.provider.core.web.AccessTokenFilter.lambda$doFilter$0(AccessTokenFilter.java:74)
at com.atlassian.oauth2.scopes.request.DefaultScopesRequestCache.doWithScopes(DefaultScopesRequestCache.java:34)
at jdk.internal.reflect.GeneratedMethodAccessor662.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at org.eclipse.gemini.blueprint.service.importer.support.internal.aop.ServiceInvoker.doInvoke(ServiceInvoker.java:56)
at org.eclipse.gemini.blueprint.service.importer.support.internal.aop.ServiceInvoker.invoke(ServiceInvoker.java:60)
at org.eclipse.gemini.blueprint.service.util.internal.aop.ServiceTCCLInterceptor.invokeUnprivileged(ServiceTCCLInterceptor.java:70)
at org.eclipse.gemini.blueprint.service.util.internal.aop.ServiceTCCLInterceptor.invoke(ServiceTCCLInterceptor.java:53)
at org.eclipse.gemini.blueprint.service.importer.support.LocalBundleContextAdvice.invoke(LocalBundleContextAdvice.java:57)
at com.atlassian.oauth2.provider.core.web.AccessTokenFilter.doFilter(AccessTokenFilter.java:71)
at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42)
at com.atlassian.plugin.connect.plugin.auth.oauth2.DefaultSalAuthenticationFilter.doFilter(DefaultSalAuthenticationFilter.java:69)
at com.atlassian.plugin.connect.plugin.auth.user.ThreeLeggedAuthFilter.doFilter(ThreeLeggedAuthFilter.java:109)
at com.atlassian.plugins.authentication.sso.web.filter.loginform.DisableNativeLoginAuthFilter.doFilter(DisableNativeLoginAuthFilter.java:55)
at com.atlassian.plugins.authentication.basicauth.filter.DisableBasicAuthFilter.doFilter(DisableBasicAuthFilter.java:70)
at com.atlassian.jwt.internal.servlet.JwtAuthFilter.doFilter(JwtAuthFilter.java:37)
at com.atlassian.analytics.client.filter.DefaultAnalyticsFilter.doFilter(DefaultAnalyticsFilter.java:26)
at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:33)
at com.atlassian.troubleshooting.thready.filter.AbstractThreadNamingFilter.doFilter(AbstractThreadNamingFilter.java:46)
at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42)
at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doBeforeBeforeLoginFilters(BeforeLoginPluginAuthenticationFilter.java:90)
at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:73)
at com.atlassian.stash.internal.request.DefaultRequestManager.doAsRequest(DefaultRequestManager.java:84)
at com.atlassian.stash.internal.hazelcast.ConfigurableWebFilter.doFilter(ConfigurableWebFilter.java:38)
at java.base/java.lang.Thread.run(Thread.java:829)
... 274 frames trimmedCapture a HAR while reproducing the issue
Generate HAR file following the guide Generating HAR files and analyzing web requests. From analyzing the HAR, you will see session-data-xxxx-xxx-xxxx-xxxx cookie value is empty.
Cause
The LDAP Active Directory used to authenticate SAML users is disabled or has any issues.
Changes applied in the LDAP configuration recently that caused synchronization failure.
The error exception "Received invalid SAML response: The Response has an InResponseTo attribute:
ONELOGIN_######aBc##fgcwhile no InResponseTo was expected" is returned mostly when the Reverse proxy/WAF(Web Application Firewall) blocks some session data. Thesession-data-xxxx-xxx-xxxx-xxxxcookies were not being sent to the backend server by the reverse proxy/WAF.
Solution
If using reverse proxy/WAF, the solution is to inspect the traffic on the Reverse proxy & validate where the session cookie data is being filtered out. Ensure that session cookie data is forwarded from the reverse proxy to the backend servers.
For other causes, first confirm whether the issue falls under one of the scenarios explained below:
Scenario 1
When Basic Authentication (Username and Password) is disabled from the Login Page, as well as for REST API (Allow basic authentication on API calls disabled):
Scenario 1 internally covers two different use cases:
Use Case 1
Bitbucket System Admin user present as an Internal Directory user in Bitbucket and it has been added to the allowed_users list before disabling Basic Authentication completely (from both the Login Option and API calls):
To know how to add a user in advance to the
allowed_userslist before “Allow basic authentication on API calls” will be disabled, follow this KB: Creating an allowlist when basic authentication is disabledInitially, (when the System Admin user “admin” is already added to allow list above), check the options under Authentication Methodspage on the Bitbucket Administration page:
While running an API call using an already added System Admin user of the internal directory: API result: (GET call). It represents that block-requests are set to true which needs to be set to false to let users login to the Bitbucket.
To resolve this scenario, run the PUT call to change the block request to false using the admin user:
Once done, follow the steps under the Scenario 2 heading below to resolve the issue.
Use Case 2
Bitbucket System Admin user, whether it is the LDAP user or not, added to allowed_users list before disabling Basic Authentication completely (from both Login Option and API calls).
In this case, you only have the option of using recovery_admin user (by enabling lockout_recovery process) but it is not allowed to change the “Allow basic authentication on API calls” if it is already disabled. In this case, you will neither be able to login to Bitbucket using username and password (Login form disabled error in Bitbucket UI when trying with recovery_admin user) nor will be able to run any REST API relevant to this issue like enabling auth_fallback or adding an allowed user list to Bitbucket.
For every API call, we will hit the following error:
To resolve this scenario, the only option is to access the database and update the following table after taking a complete backup of the database.
Query the
plugin_settingdatabase table first:
SELECT t.* FROM public.plugin_setting t WHERE namespace ILIKE 'com.atlassian.plugins.authentication.basicauth' OR key_name ILIKE 'com.atlassian.plugins.authentication.basicauth' OR key_value ILIKE 'com.atlassian.plugins.authentication.basicauth' LIMIT 10;Then use the below query to help you change the “Allow basic authentication on API calls” option:
UPDATE plugin_setting SET key_value = 'false' WHERE id = <id>; — id should be replaced based on the output we will receive from the very first query.Now use the user as
recovery_adminuser, enable the auth_fallback, and login to Bitbucket.
Once done, apply the required changes to initiate the LDAP synchronization or check if there is any issue with the LDAP configuration like a password. You can also verify if synchronization is working fine or not.
Scenario 2
When Basic Authentication is disabled from the Login Page but “Allow basic authentication on API calls” is enabled:
If the user has a system admin user in the internal directory: Just need to enable auth_fallback using the article and login with the system admin user.
If the user doesn’t have a system admin user in the internal directory: Need to enable lockout recovery first to get the recovery_admin user. Once done, enable auth_fallback with the help of recovery_admin user and login. Once it is done, apply the required changes and initiate the LDAP synchronization.
Was this helpful?