Jira users face an error "We can't log you in right now" intermittently while trying to login using SSO
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Intermittently users are landing on error pages when trying to log in to Jira using SSO:
1
2
3
We can't log you in right now
Please contact your administrator. Give them this error identifier:
<error identifier>Upon refreshing, the application returns them to log in and they can log in fine.
Environment
Jira Data Center (on any version from 8.0.0), configured with the Crowd application as the Identity Provider
Crowd is running behind an AWS ELB (Elastic Load Balancer)
Diagnosis
The HAR file shows a close connection with 400 Bad Request for samlconsumer call.
Search into the atlassian-jira.log* log files for the Request ID found in the HAR file (X-AREQUESTID). If you notice the Connection reset error for the /plugins/servlet/samlconsumer endpoint call as illustrated in the error below, then this KB article might be relevant:
1
2
3
4
5
6
7
8
9
10
11
12
2024-02-12 14:25:23,882-0500 http-nio-8080-exec-22 ERROR anonymous <requestID> <username> 72.85.41.7,23.194.131.221,23.40.19.162,23.52.43.8,10.244.11.173,127.0.0.1 /plugins/servlet/samlconsumer [c.a.p.a.i.web.filter.ErrorHandlingFilter] [UUID: 9801bfc7-8db6-4be7-bc28-26ff85d8c785] Error authenticating usercom.atlassian.plugins.authentication.impl.web.usercontext.AuthenticationFailedException: Error authenticating user at com.atlassian.plugins.authentication.impl.web.usercontext.impl.embeddedcrowd.EmbeddedCrowdPrincipalResolver.resolvePrincipal(EmbeddedCrowdPrincipalResolver.java:50) at com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:109) at javax.servlet.http.HttpServlet.service(HttpServlet.java:555)
..trimmed
Caused by: com.atlassian.crowd.exception.runtime.OperationFailedException: javax.net.ssl.SSLException: Connection reset
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.userAuthenticated(CrowdServiceImpl.java:113)
at com.atlassian.jira.user.JiraDelegatingCrowdService.userAuthenticated(JiraDelegatingCrowdService.java:44)
at com.atlassian.jira.user.JiraCrowdService.userAuthenticated(JiraCrowdService.java:140)
at sun.reflect.GeneratedMethodAccessor16497.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at com.atlassian.plugin.util.ContextClassLoaderSettingInvocationHandler.invoke(ContextClassLoaderSettingInvocationHandler.java:26)
at com.sun.proxy.$Proxy314.userAuthenticated(Unknown Source)
... 2 filtered
Comparing the HAR files for both successful and unsuccessful login and after setting the org.apache.http package to DEBUG via the page ⚙ > System > Logging and profiling, you should see the same "Connection reset" for the /plugins/servlet/samlconsumer endpoint for the unsuccessful login:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
2024-02-20 17:22:45,578-0500 http-nio-8080-exec-22 DEBUG anonymous 1042x1285243x1 tlbxz3 72.85.41.7,23.44.202.150,23.44.170.50,10.244.11.137,127.0.0.1 /plugins/servlet/samlconsumer [o.apache.http.headers] http-outgoing-98148 >> POST /rest/usermanagement/1/authentication/notify?username=xyz HTTP/1.1
2024-02-20 17:22:45,578-0500 http-nio-8080-exec-22 DEBUG anonymous 1042x1285243x1 tlbxz3 72.85.41.7,23.44.202.150,23.44.170.50,10.244.11.137,127.0.0.1 /plugins/servlet/samlconsumer [o.apache.http.headers] http-outgoing-98148 >> Accept: application/xml
2024-02-20 17:22:45,578-0500 http-nio-8080-exec-22 DEBUG anonymous 1042x1285243x1 tlbxz3 72.85.41.7,23.44.202.150,23.44.170.50,10.244.11.137,127.0.0.1 /plugins/servlet/samlconsumer [o.apache.http.headers] http-outgoing-98148 >> Content-Length: 66
2024-02-20 17:22:45,578-0500 http-nio-8080-exec-22 DEBUG anonymous 1042x1285243x1 tlbxz3 72.85.41.7,23.44.202.150,23.44.170.50,10.244.11.137,127.0.0.1 /plugins/servlet/samlconsumer [o.apache.http.headers] http-outgoing-98148 >> Content-Type: application/xml; charset=UTF-8
2024-02-20 17:22:45,578-0500 http-nio-8080-exec-22 DEBUG anonymous 1042x1285243x1 tlbxz3 72.85.41.7,23.44.202.150,23.44.170.50,10.244.11.137,127.0.0.1 /plugins/servlet/samlconsumer [o.apache.http.headers] http-outgoing-98148 >> Host: crowd.hostname.com
2024-02-20 17:22:45,578-0500 http-nio-8080-exec-22 DEBUG anonymous 1042x1285243x1 tlbxz3 72.85.41.7,23.44.202.150,23.44.170.50,10.244.11.137,127.0.0.1 /plugins/servlet/samlconsumer [o.apache.http.headers] http-outgoing-98148 >> Connection: Keep-Alive
2024-02-20 17:22:45,578-0500 http-nio-8080-exec-22 DEBUG anonymous 1042x1285243x1 tlbxz3 72.85.41.7,23.44.202.150,23.44.170.50,10.244.11.137,127.0.0.1 /plugins/servlet/samlconsumer [o.apache.http.headers] http-outgoing-98148 >> User-Agent: Apache-HttpClient/4.5.13 (Java/1.8.0_362)
2024-02-20 17:22:45,578-0500 http-nio-8080-exec-22 DEBUG anonymous 1042x1285243x1 tlbxz3 72.85.41.7,23.44.202.150,23.44.170.50,10.244.11.137,127.0.0.1 /plugins/servlet/samlconsumer [o.apache.http.headers] http-outgoing-98148 >> Cookie: JSESSIONID=A8A553FDC52761F3C2BD25289603B988; AWSALB=08EXptHHIjbTMsojEkn7DcnNqDvsCmTt2hKq9A0juM31MorJuNuf/CBFrxesZt07FrgF3RFq/Oudc6c8fgQGpTY9DH9C/whUMrboyQp0LmT+oJxSlFcSpZWWZwrA; AWSALBCORS=08EXptHHIjbTMsojEkn7DcnNqDvsCmTt2hKq9A0juM31MorJuNuf/CBFrxesZt07FrgF3RFq/Oudc6c8fgQGpTY9DH9C/whUMrboyQp0LmT+oJxSlFcSpZWWZwrA
2024-02-20 17:22:45,578-0500 http-nio-8080-exec-22 DEBUG anonymous 1042x1285243x1 tlbxz3 72.85.41.7,23.44.202.150,23.44.170.50,10.244.11.137,127.0.0.1 /plugins/servlet/samlconsumer [o.apache.http.headers] http-outgoing-98148 >> Accept-Encoding: gzip,deflate
2024-02-20 17:22:45,578-0500 http-nio-8080-exec-22 DEBUG anonymous 1042x1285243x1 tlbxz3 72.85.41.7,23.44.202.150,23.44.170.50,10.244.11.137,127.0.0.1 /plugins/servlet/samlconsumer [o.apache.http.headers] http-outgoing-98148 >> Via: 1.1 localhost (Apache-HttpClient/4.5.13 (cache))
2024-02-20 17:22:45,578-0500 http-nio-8080-exec-22 DEBUG anonymous 1042x1285243x1 tlbxz3 72.85.41.7,23.44.202.150,23.44.170.50,10.244.11.137,127.0.0.1 /plugins/servlet/samlconsumer [o.apache.http.headers] http-outgoing-98148 >> Authorization: Basic ZWxjLWppcmEtZGV2OnlMY2VDclFCRXRBL01oOU45VDs=
2024-02-20 17:22:45,581-0500 http-nio-8080-exec-22 DEBUG anonymous 1042x1285243x1 tlbxz3 72.85.41.7,23.44.202.150,23.44.170.50,10.244.11.137,127.0.0.1 /plugins/servlet/samlconsumer [o.a.h.impl.conn.DefaultManagedHttpClientConnection] http-outgoing-98148: "[read] I/O error: Connection reset"
2024-02-20 17:22:45,581-0500 http-nio-8080-exec-22 DEBUG anonymous 1042x1285243x1 tlbxz3 72.85.41.7,23.44.202.150,23.44.170.50,10.244.11.137,127.0.0.1 /plugins/servlet/samlconsumer [o.a.h.impl.conn.DefaultManagedHttpClientConnection] http-outgoing-98148: Close connection
2024-02-20 17:22:45,582-0500 http-nio-8080-exec-22 DEBUG anonymous 1042x1285243x1 tlbxz3 72.85.41.7,23.44.202.150,23.44.170.50,10.244.11.137,127.0.0.1 /plugins/servlet/samlconsumer [o.a.h.impl.conn.DefaultManagedHttpClientConnection] http-outgoing-98148: Shutdown connectionThe intermittent login issue, coupled with a decoding of the SAML response showing no issues in there, indicates that the problem does not lie with the SAML certificate or Jira configuration. Instead, the issue may stem from the configuration at the Identity Provider (IDP).
Cause
In the scenario described in this KB article, Jira is integrated with Crowd which acts as a centralized authentication and single sign-on for Jira, and the Crowd server is running behind a proxy. As it's the reverse proxy that is returning the headers, we need to look at its configuration. With longer keep-alive settings, the org.apache.http library runs into issues with establishing the next connection.
Solution
Try reducing the keep-alive settings to a reasonable value like 5 seconds in the reverse proxy setting. For AWSELB, we can usethis guide.
Was this helpful?