Found an Attribute element with duplicated Name error while users tries to login using SSO

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

When a user tries to login to Jira using SSO, the user faces Found an Attribute element with duplicated Name error in the atlassian-jira.log file.

Environment

  • v8.15.x and onwards

Diagnosis

  • Add below packages and enable DEBUG mode by going to Logging and profiling. The below packages will help to review additional traces in logs with SAML attribute details.

1 2 com.onelogin.saml2 com.atlassian.plugins.authentication

  • From the atlassian-jira.log file, you can see the SAML response with multiple values returned for the Role attribute.

1 2 3 <saml:Attribute Name="Role" ... jira-administrators <saml:Attribute Name="Role" ... jira-license <saml:Attribute Name="Role" ... jira-system-administrators
1 2 3 4 5 6 7 8 9 10 </saml:Attribute> <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jira-administrators</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jira-license</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jira-system-administrators</saml:AttributeValue> </saml:Attribute>

Cause

Based on the Jira source code, the user login will fail when:

  • Return all the attribute names from the assertion.

  • Check to see if duplicates are allowed.

  • Either continue or stop here depending on that setting. If there are duplicates we’ll get

1 Found an Attribute element with duplicated Name

Source code

1 2 3 4 5 6 7 8 NodeList nodes = this.queryAssertion("/saml:AttributeStatement/saml:Attribute"); if (nodes.getLength() != 0) { for (int i = 0; i < nodes.getLength(); i++) { NamedNodeMap attrName = nodes.item(i).getAttributes(); String attName = attrName.getNamedItem("Name").getNodeValue(); if (attributes.containsKey(attName) && !settings.isAllowRepeatAttributeName()) { throw new ValidationError("Found an Attribute element with duplicated Name", ValidationError.DUPLICATED_ATTRIBUTE_NAME_FOUND); }

Solution

IDP team should ensure that they don't send multiple values for the Role attribute and should review IDP configuration in such a case.

Updated on March 18, 2025
Platform
Data Center only
Product
Jira Software Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community