The Assertion of the Response is not signed and the SP requires it

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Problem

When logging in with SAML for Data Center you can't authenticate and receive the following error in the atlassian-bitbucket.log.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 2017-09-21 12:26:11,880 ERROR [http-nio-7990-exec-2] @1MAHJEQx746x27x0 16nwgem 172.18.0.1,172.18.0.3 "POST /plugins/servlet/samlconsumer HTTP/1.1" c.a.p.a.i.w.f.ErrorHandlingFilter Received invalid SAML response: The Assertion of the Response is not signed and the SP requires it com.atlassian.plugins.authentication.impl.web.saml.provider.InvalidSamlResponse: Received invalid SAML response: The Assertion of the Response is not signed and the SP requires it at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.lambda$extractSamlResponse$1(OneloginJavaSamlProvider.java:89) at com.atlassian.plugin.util.ContextClassLoaderSwitchingUtil.runInContext(ContextClassLoaderSwitchingUtil.java:48) at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.extractSamlResponse(OneloginJavaSamlProvider.java:80) at com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:87) at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24) at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24) at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24) at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24) at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24) at com.atlassian.analytics.client.filter.UniversalAnalyticsFilter.doFilter(UniversalAnalyticsFilter.java:92) at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:39) at com.atlassian.plugins.authentication.impl.web.filter.ErrorHandlingFilter.doFilter(ErrorHandlingFilter.java:8 (truncated)

Cause

  1. The IDP signs the Response only, but not the Assertion. Currently Bitbucket requires the Assertion to be signed, so once the issuer check passes, the authentication fails with an error: "The Assertion of the Response is not signed and the SP requires it".

  2. Trailing whitespace characters for com.atlassian.plugins.authentication.samlconfig.sso-issuer and com.atlassian.plugins.authentication.samlconfig.sso-url.

Resolution

  1. Configure the SAML identity provider to provide a signed Assertion.There should be a drop down option similar to the below:

    (Auto-migrated image: description temporarily unavailable)

  2. Remove any white spaces in Bitbucket's SAML configuration.

Updated on April 8, 2025
Platform
Data Center only
Product
Bitbucket Data Center
On this pageProblemCauseResolution

Still need help?

The Atlassian Community is here for you.
Ask the Community