InResponseTo errors when using the SSO for Atlassian Data Center plugin

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Issues appear with the SSO for Atlassian Data Center plugin in Jira Data Center if a modified version of Tomcat's config.xml is used.

This prevents the login process from completing with the IDP, preventing users from logging into Jira Data Center while using SSO.

Environment

Jira Data Center 9.4.9

Diagnosis

When SSO login attempts fail, reviewing the atlassian-jira.log file will show the following errors relating to the InResponseTo attribute:

1 2 2023-08-14 15:19:08,609-0700 http-nio-8080-exec-693 ERROR anonymous 919x460108x1 /plugins/servlet/samlconsumer [c.o.saml2.authn.SamlResponse] The Response has an InResponseTo attribute: ONELOGIN_f9e9910e-7c1b-4863-a715-597f1f4473a3 while no InResponseTo was expected 2023-08-14 15:19:08,615-0700 http-nio-8080-exec-693 ERROR anonymous 919x460108x1 /plugins/servlet/samlconsumer [c.onelogin.saml2.Auth] processResponse error. invalid_response

The InResponseTo attribute is contained within the response from an IDP when a Jira login is initiated. Jira will generate a request id, store it in the session, and send the user to the IDP.

The IDP will respond with a SAML response, containing InResponseTo, which should be set to the request id. If the InResponseTo doesn't match the request id in the session, this error appears.

Cause

According to Tomcat 9's documentation (included with Jira Data Center 9.4.9), Tomcat has a configurable cookie processor:

The CookieProcessor element represents the component that parses received cookie headers into javax.servlet.http.Cookie objects accessible through HttpServletRequest.getCookies() and converts javax.servlet.http.Cookie objects added to the response through HttpServletResponse.addCookie() to the HTTP headers returned to the client. A CookieProcessor element MAY be nested inside a Context component. If it is not included, a default implementation will be created automatically.

This can be added to the context.xml file but in an out-of-the-box deployment of Jira Data Center 9.4.9, the cookie processor isn't used.

Solution

Removing references to <CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor"/>  from the context.xml will allow the SSO login to complete successfully.

Updated on March 18, 2025
Platform
Data Center only
Products
Jira Software Data Center
Jira Core Data Center
Jira Service Management Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community