Received invalid SAML response: is not a valid audience for this Response
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Problem
After configuring JIRA Data Center SAML the following error may be observed:
1
2
3
4
5
6
7
8
9
10
11
com.atlassian.plugins.authentication.impl.web.saml.provider.InvalidSamlResponse: Received invalid SAML response: https://jira.atlassian.com is not a valid audience for this Response
at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.lambda$extractSamlResponse$1(OneloginJavaSamlProvider.java:89)
at com.atlassian.plugin.util.ContextClassLoaderSwitchingUtil.runInContext(ContextClassLoaderSwitchingUtil.java:48)
at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.extractSamlResponse(OneloginJavaSamlProvider.java:80)
at com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:87)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at com.atlassian.plugin.servlet.DelegatingPluginServlet.service(DelegatingPluginServlet.java:37)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at com.atlassian.plugin.servlet.ServletModuleContainerServlet.service(ServletModuleContainerServlet.java:45)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)Cause
This indicates a mismatch between the Audience URL(Entity ID) given by JIRA during the SAML configuration and the Identity Provider. In ADFS 3.0 the Audience URL(Entity ID) is referred to as the Relying Party Identifier. These values must match exactly.
If JIRA provides an Audience URL(Entity ID) of:
and the Identity Provider is configured as:
The Audiences will not be considered matching because of the trailing / in the second URL and the above error will be seen.
Resolution
Ensure the Identity Provider(IdP) Relying Party Identifier matches character for character with the provided Audience URL(Entity ID) in the JIRA SAML configuration.
Was this helpful?