Jira AD FS SAML SSO Login fails with "No name id found in Document"

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Jira is configured for SAML single sign-on with Active Directory Federation Services (AD FS). Users are getting Error while logging in to Jira using SSO.

Environment

Jira Data Center

Diagnosis

When reviewing atlassian-jira.log for the affected user login, "No name id found in Document" Error is seen

1 2 3 4 5 2024-06-24 08:29:51,845+0300 https-openssl-nio-8443-exec-108 ERROR <user_id> 509x2042473x2 nvif9c 10.1.177.178 /plugins/servlet/samlconsumer [c.a.p.a.i.web.filter.ErrorHandlingFilter] [UUID: \{*}40e98aa3-c065-4535-9cef-badfc82ebc32\{*}] com.onelogin.saml2.exception.ValidationError: No name id found in Document. com.atlassian.plugins.authentication.impl.web.saml.provider.InvalidSamlResponse: com.onelogin.saml2.exception.ValidationError: No name id found in Document. at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.lambda$extractSamlResponse$1(OneloginJavaSamlProvider.java:92) at com.atlassian.plugin.util.ContextClassLoaderSwitchingUtil.runInContext(ContextClassLoaderSwitchingUtil.java:48) at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.extractSamlResponse(OneloginJavaSamlProvider.java:87)

Cause

As part of the Outgoing Claim Type configuration on AD FS, "NameID" attribute is missing. 

Solution

To resolve this, add the "NameID" attribute as the Outgoing Claim Typein your claim rule on AD FS. 

Please follow below steps:

  1. From your ADFS Console, select the “Relying Party Trusts” folder.

  2. Select the trust you have created for your Jira Application, right-click on it, and Choose “Edit Claim Issuance Policy…”.

  3. On the Issuance Transform Rules screen, select the respective rule and click the “Edit Rule…” button.

  4. In the Edit Rule dialog, either add a new unique identifier (e.g., SAM-Account-Name) or edit the existing unique identifier (e.g., SAM-Account-Name) and map it to the Outgoing Claim Type “Name ID.”

    Note: If you have used SSO for Atlassian Data Center for the SAML SSO setup in Jira and "username mapping" attribute is mapped to NameID, then on AD FS you can map "NameID" with an attribute which identifies as username of user in Jira. Refer SAML single sign-on for Atlassian Data Center applications for more details.

  5. Save the changes and then test again

Updated on March 11, 2025
Platform
Data Center only
Product
Jira Software Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community