Confluence Data Center SAML Login fails with 'The Assertion of the Response is not signed and the SP requires it' error
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Fix issue with Confluence Data Center SAML login failing with "The Assertion of the Response is not signed and the SP requires it" error.
Diagnosis
This error can be found in the <confluence-home>/logs/atlassian-confluence.log file:
1
2
3
4
5
2020-11-05 19:31:26,145 ERROR [http-nio-8080-exec-5] [impl.web.filter.ErrorHandlingFilter] doFilter Received invalid SAML response: The Assertion of the Response is not signed and the SP requires it
-- referer: http://localhost/ | url: /plugins/servlet/samlconsumer | traceId: 3f3a4489610d4a68 | userName: username
com.atlassian.plugins.authentication.impl.web.saml.provider.InvalidSamlResponse: Received invalid SAML response: The Assertion of the Response is not signed and the SP requires it
at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.lambda$extractSamlResponse$1(OneloginJavaSamlProvider.java:89)
at com.atlassian.plugin.util.ContextClassLoaderSwitchingUtil.runInContext(ContextClassLoaderSwitchingUtil.java:48)Cause
The IDP signs the Response only, but not the Assertion. Currently, Confluence requires the Assertion to be signed, so once the issuer check passes, the authentication fails with an error: "The Assertion of the Response is not signed and the SP requires it".
Solution
Configure the SAML identity provider to provide a signed Assertion.
Was this helpful?