Received invalid SAML response: A valid SubjectConfirmation was not found on this Response: SubjectConfirmationData doesn't match a valid Recipient

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Symptoms

After configuring JIRA Data Center SAML the following error may be observed:

The following appears in the atlassian-jira.log

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 2018-01-25 23:02:01,537 http-nio-8080-exec-13 ERROR USERABC 1382x101603x4 xxxxxx 10.0.0.10,10.0.1.10 /plugins/servlet/samlconsumer [c.a.p.a.i.web.filter.ErrorHandlingFilter] Received invalid SAML response: A valid SubjectConfirmation was not found on this Response: SubjectConfirmationData doesn't match a valid Recipient com.atlassian.plugins.authentication.impl.web.saml.provider.InvalidSamlResponse: Received invalid SAML response: A valid SubjectConfirmation was not found on this Response: SubjectConfirmationData doesn't match a valid Recipient at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.lambda$extractSamlResponse$1(OneloginJavaSamlProvider.java:72) at com.atlassian.plugin.util.ContextClassLoaderSwitchingUtil.runInContext(ContextClassLoaderSwitchingUtil.java:48) at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.extractSamlResponse(OneloginJavaSamlProvider.java:63) at com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:97) at javax.servlet.http.HttpServlet.service(HttpServlet.java:648) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at com.atlassian.plugin.servlet.DelegatingPluginServlet.service(DelegatingPluginServlet.java:37) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at com.atlassian.plugin.servlet.ServletModuleContainerServlet.service(ServletModuleContainerServlet.java:45) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) ... 52 filtered at com.atlassian.plugins.authentication.impl.web.filter.ErrorHandlingFilter.doFilter(ErrorHandlingFilter.java:83) ... 3 filtered at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21) ... 58 filtered at com.atlassian.jira.security.JiraSecurityFilter.lambda$doFilter$0(JiraSecurityFilter.java:76) ... 1 filtered at com.atlassian.jira.security.JiraSecurityFilter.doFilter(JiraSecurityFilter.java:74) ... 37 filtered at com.atlassian.jira.servermetrics.CorrelationIdPopulatorFilter.doFilter(CorrelationIdPopulatorFilter.java:30) ... 10 filtered at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21) ... 4 filtered at com.atlassian.web.servlet.plugin.LocationCleanerFilter.doFilter(LocationCleanerFilter.java:36) ... 29 filtered at com.atlassian.jira.servermetrics.MetricsCollectorFilter.doFilter(MetricsCollectorFilter.java:25) ... 27 filtered at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745)

Diagnosis

Environment

  • JIRA Data Center with SAML configured

Diagnostic Steps

  • Retrieve the details from How to view SAML responses in your browser for troubleshooting for SAML Response

  • Verify the Recipient under SubjectConfirmationData, example

    1 2 3 <saml2:SubjectConfirmationData InResponseTo="_88cexxxxx-xx00-4xxd-bxxd-xxxxxxxxx" NotOnOrAfter="2016-09-14T13:40:14.351Z" Recipient="http://pp:5990/product/plugins/servlet/samlconsumer"/>

Cause

This indicates a mismatch between the Recipient of the SubjectConfirmationData section received in the SAML Response with compared to the URL used in Jira and can be caused by either:

  1. A mismatch of the base URL configured in the server.xml cause the same error.

    OR

  2. The wrong connector ("JIRA (On-prem)") is being used on OneLogin side

Solution

Resolution

Ensure the Recipient of the SubjectConfirmationData returned by the SAML response matches.

Resolution for Cause 1

  • The base URL used in Jira and the server.xml under the proxyName parameter are matching.

Resolution for Cause 2

  • Use the "SAML Test Connector (Advanced)" at OneLogin to configure the integration

Updated on April 2, 2025
Platform
Data Center only
Product
Jira Software Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community