Users can't login using SSO after Atlassian SSO plugin upgrade
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
After manually updating Atlassian's SSO for Atlassian Server and Data Center plugin to version 4.0+, or upgrading Jira from version 8.6.x/earlier, to 8.7+, users are no longer able to log in using SAML/OIDC, and the following errors can be found on the atlassian-jira.log:
1
2
2021-05-13 11:30:54,145-0400 https-jsse-nio-8443-exec-18 ERROR anonymous 690x11x1 xxxxxxx xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx /plugins/servlet/samlconsumer [c.a.p.a.i.web.filter.ErrorHandlingFilter] Received SSO request for user xxxxxx, but the user does not exist
com.atlassian.plugins.authentication.impl.web.usercontext.AuthenticationFailedException: Received SSO request for user xxxxxx, but the user does not exist1
2
2020-07-20 15:53:01,400+0000 http-nio-8080-exec-117 ERROR anonymous 953x39481x1 xxxxxxx .xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx /plugins/servlet/oidc/callback [c.a.p.a.i.web.filter.ErrorHandlingFilter] Received SSO request for user preferred_username, but the user does not exist
com.atlassian.plugins.authentication.impl.web.usercontext.AuthenticationFailedException: Received SSO request for user preferred_username, but the user does not existEnvironment
Atlassian's SSO for Atlassian Server and Data Center plugin version 4.0.0+.
Jira 8.7+, which bundles the above by default.
Cause
Version 4.0.0 of the Atlassian SSO for Atlassian Server and Data Center plugin, introduced the option to specify a custom username attribute, (version 4.1.0 further built upon it, by adding mapping expressions to the username attribute), which allowed for more flexibility when using Jira with SAML/OIDC.
Incorrect mapping
As a result of this change, in cases where the selected attribute from the IdP is not in the same format as the existing Jira usernames (for example 'jdoe' in Jira vs 'jdoe@company.com' on the IdP), the login process will fail, due to Jira not recognizing the username provided by the IdP as a valid user.
Static username
Similarly, if you are on version 4.1.0+, and you are not using the proper mapping expression syntax '${attribute_name}', Jira will try to use the literal name of the field as seen in the second message example, where 'preferred_username' was being used by Jira as a static username for all users, rather than the value stored by the 'preferred_username' attribute on the IdP side.
Diagnosis
Verify which are the usernames being registered on the "Received SSO request for user xxxxxx, but the user does not exist" entries in the atlassian-jira.log.
If the value added to the logs, is static (ie. the same username, possibly an attribute name, is being used for the login attempts from different users).
The format of the usernames printed in the logs is different from the ones stored on the user_name column of the cwd_user table in the Jira database (ex: email vs user id).
You can proceed with the Solution steps.
Solution
In order to resolve this problem with the Single Sign On login, we need to ensure that the SSO settings have the proper attribute mapped for the Username mapping so that Jira can request the correct Username from the IdP.
Updating the settings through the UI
Go to
> System > SSO 2.0 Authentication (or Authentication methods if you have version 4.2.0+ installed).
Locate the Username mapping attribute.
Check on the IdP side what is the name of the attribute that matches the format expected by Jira to be the user_name information.
ℹ️ You can double-check the format expected by Jira, with the values stored on the user_namecolumn of the cwd_usertable.
Update the Username mapping field to the correct attribute using the appropriate format depending on the version of the plugin:
If you have version 4.0.x installed - Use the literal name of the attribute. Example:NameID or preferred_username
If you have version 4.1.0+ installed - Use the mapping expression around the attribute. Example: ${NameID} or ${preferred_username}
Save the changes, and test the login.
Updating the settings through the database
This option should only be used as a last resort.
If you don't have access to the UI to perform the steps from the above alternative, you may want to first try Bypass SAML authentication for Jira Data Center.
⚠️ Before proceeding any further, we strongly recommend that you create a native database backup, in case the changes need to be rolled back.
Stop Jira on all of the nodes.
Identify the current configuration and property ID with the SQL below:
1 2 3 4SELECT propertyentry.id, propertyentry.property_key, propertystring.propertyvalue FROM propertyentry JOIN propertystring ON propertyentry.id=propertystring.id WHERE property_key = 'com.atlassian.plugins.authentication.sso.config.username-attribute';Check on the IdP side what is the name of the attribute that matches the format expected by Jira to be the user_name information.
ℹ️ You can double-check the format expected by Jira, with the values stored on the user_namecolumn of the cwd_usertable.
With the ID and attribute name at hand, you can update the setting directly on the database with the following update statement using the appropriate format depending on the version of the plugin:
If you have version 4.0.x installed - Use the literal name of the attribute. Example:NameID or preferred_username
1UPDATE propertystring SET propertyvalue = 'IdP_Username_attribute' WHERE id = 'id_from_step_2';If you have version 4.1.0+ installed - Use the mapping expression around the attribute. Example: ${NameID} or ${preferred_username}
1UPDATE propertystring SET propertyvalue = '${IdP_Username_attribute}' WHERE id = 'id_from_step_2';
Commit the changes if necessary.
Start one of the Jira nodes and test the SSO settings.
If everything is working well, bring up the remaining nodes.
Was this helpful?