SAML login fails with "Invalid issuer in the Assertion/Response"
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Problem
After setting up SAML with Jira Data Center, the user is redirected to Jira but is not logged in.
The following appears in atlassian-jira.log:
1
2
3
4
2018-12-04 08:15:13,453 http-nio-8080-exec-12 ERROR anonymous 495x88791x1 14d0tmf 10.158.3.30,10.159.134.14 /plugins/servlet/samlconsumer [c.o.saml2.authn.SamlResponse] Invalid issuer in the Assertion/Response
2018-12-04 08:15:13,453 http-nio-8080-exec-12 ERROR anonymous 495x88791x1 14d0tmf 10.158.3.30,10.159.134.14 /plugins/servlet/samlconsumer [c.onelogin.saml2.Auth] processResponse error. invalid_response
2018-12-04 08:15:13,453 http-nio-8080-exec-12 ERROR anonymous 495x88791x1 14d0tmf 10.158.3.30,10.159.134.14 /plugins/servlet/samlconsumer [c.a.p.a.i.web.filter.ErrorHandlingFilter] Received invalid SAML response: Invalid issuer in the Assertion/Response
com.atlassian.plugins.authentication.impl.web.saml.provider.InvalidSamlResponse: Received invalid SAML response: Invalid issuer in the Assertion/ResponseDiagnosis
Review the Single sign-on issuer (a.k.a. entity ID) in your SAML setup on the Jira side.
Run through How to view a SAML responses in your browser for troubleshooting and review the Issuer in the SAML assertion.
Cause
Invalid issuer in the Assertion/Response suggests that the issuer value in the SAML assertion does not match the entity ID.
The difference can be as simple as the protocol in the URL (https vs http).
Resolution
Make sure both the Single sign-on issuer in Jira and the Issuer set in the SAML assertion by the IdP are exactly the same. A trailing white space can result in an
InvalidSamlResponse. There is a suggestion to strip trailing whitespaces from the Single sign-on issuer field: JRASERVER-69492.
Was this helpful?