Jira SAML error Attribute could not be found
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
After configuring JIT user provisioning, login fails with an error similar to: "Attribute [jira-software-users] could not be found".
Environment
Jira Data Center with SAML SSO for Jira Data Center applications enabled.
Diagnosis
When attempting to log in after configuring SAML SSO for Jira Data Center, login fails and an error similar to the example below is seen in the atlassian-jira.log file:
1
2
3
4
5
6
2021-08-23 19:00:00,446+0000 http-nio-8080-exec-45 ERROR anonymous - /plugins/servlet/samlconsumer [c.a.p.a.i.web.filter.ErrorHandlingFilter] Attribute [jira-software-users] could not be found
com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.JitException: Attribute [jira-software-users] could not be found
at com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.mapping.SamlUserDataFromIdpMapper.mapGroups(SamlUserDataFromIdpMapper.java:64)
at com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.mapping.SamlUserDataFromIdpMapper.mapUser(SamlUserDataFromIdpMapper.java:36)
at com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:102)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:652)Cause
The JIT provisioning field 'Groups' does not support mapping expressions and requires only the name of an attribute/claim containing a list of group names. In this example, 'jira-software-users' is a value passed for the group attribute from the Identity Provider (IDP) that contains a list of group names. This problem will continue so long as the JIT provisioning field 'Groups' does not contain the correct attribute name.
Solution
Change the JIT provisioning field 'Groups' to the name of the attribute configured on the IDP that contains a list of group names.
Additional Notes
Feature request: SAMLDC-77 As an administrator I would like to transform JIT synchronized groups names (aka group name mapping) Since groups synchronized to Atlassian applications can be used to assign permissions (project, space, etc), some group names from the IdP might not be easily recognized by users. i.e. Azure AD + JIT.
Was this helpful?