User login to Jira fails with "Claim [name] could not be found" error when JIT provisioning is enabled with OIDC
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
User login (existing users and new users) fails with "Claim [name] could not be found" error message when JIT provisioning is enabled.
Environment
All Jira versions
Jira is using OIDC as IDP (OpenID Connect for Atlassian Data Center applications).
Diagnosis
When "JIT Provisioning" is enabled, during login, IDP authenticates existing users. If the user is "anonymous", IDP creates new users in Jira with the user group permissions as configured in the IDP.
When "JIT Provisioning" is enabled, existing and new users (anonymous) are unable to login. In the logs, we see the below error.
1 22024-05-15 06:35:44,839+0200 http-nio-8080-exec-5 url: /plugins/servlet/oidc/callback ERROR anonymous xxxxxxxx /plugins/servlet/oidc/callback [c.a.p.a.s.web.filter.ErrorHandlingFilter] [UUID: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx] Claim [name] could not be found com.atlassian.plugins.authentication.sso.web.usercontext.impl.jit.JitException: Claim [name] could not be foundThis error occurs when IDP does not return all the claims expected by the Jira application.
We can get information on the 'claims' returned by the IDP by enabling the com.atlassian.plugins.authentication.sso.web.usercontext.impl.jit.mapping package to TRACE level. Change logging levels in Jira Server provides steps to add additional logging packages.
Once this package is enabled, logs will capture the 'claims' returned by the IDP. In the below logs, we can see that "name" parameter is not returned by IDP.
12024-05-17 12:19:45,956+0000 http-nio-8080-exec-4 url: /jira/plugins/servlet/oidc/callback TRACE anonymous 739x473x1 1qs3ijy 172.29.214.122,172.50.0.2 /plugins/servlet/oidc/callback [c.a.p.a.s.w.u.i.jit.mapping.OidcUserDataFromIdpMapper] Claims received in response for IdP: [at_hash, sub, aud, iss, groups, exp, nonce, iat, email]
Cause
As per OIDC Specifications - ScopeClaims page, setting the "JIT Scopes" to
profilewill get the name claim, which is the user's display name by default.1 2profile - OPTIONAL. This scope value requests access to the End-User's default profile Claims, which are: name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at.If the "profile" parameter is not set in 'JIT Scope', the 'name' claim will not be sent by the IDP, resulting in authentication failure during the login process.
Adding profile parameter to "JIT Scope" will return the claim 'name' by IDP, which is expected by Jira. As the expected claim value is received in the response, the authentication will be successful.
12024-05-17 12:19:45,956+0000 http-nio-8080-exec-4 url: /jira/plugins/servlet/oidc/callback TRACE anonymous 739x473x1 1qs3ijy 172.29.214.122,172.50.0.2 /plugins/servlet/oidc/callback [c.a.p.a.s.w.u.i.jit.mapping.OidcUserDataFromIdpMapper] Claims received in response for IdP: [at_hash, sub, aud, name, iss, groups, exp, nonce, iat, email]
Solution
Go to Jira Administration > System > Authentication methods > OIDC related SSO > Edit > JIT Scope and add profile. Save the changes.
Was this helpful?