Users not able to login after enabling SSO in Jira Data Center
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
After enabling SSO in Jira, it fails to log in with a very generic error.
This is common to observe after restoring a production database into a dev environment.
Diagnosis
In the atlassian-jira.log, you will see something like this:
http-nio-8080-exec-24 ERROR anonymous 1025x2960x1 1av 10.13.5.23,10.151.15.252 /plugins/servlet/samlconsumer [c.a.p.a.i.web.filter.ErrorHandlingFilter] Received invalid SAML response: The response was received at https://dev-atlassian.com:8080/plugins/servlet/samlconsumer instead of https://dev-atlassian.com/plugins/servlet/samlconsumer
com.atlassian.plugins.authentication.impl.web.saml.provider.InvalidSamlResponse: Received invalid SAML response: The response was received at https://dev-atlassian.com:8080/plugins/servlet/samlconsumer instead of https://dev-atlassian.com/plugins/servlet/samlconsumer
at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.lambda$extractSamlResponse$1(OneloginJavaSamlProvider.java:91)
at com.atlassian.plugin.util.ContextClassLoaderSwitchingUtil.runInContext(ContextClassLoaderSwitchingUtil.java:48)
at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.extractSamlResponse(OneloginJavaSamlProvider.java:82)
at com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:94)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:652)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
at com.atlassian.plugin.servlet.DelegatingPluginServlet.service(DelegatingPluginServlet.java:37)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
at com.atlassian.plugin.servlet.ServletModuleContainerServlet.service(ServletModuleContainerServlet.java:47)
This error tells us the request came from Jira with this URL: "https://dev-atlassian.com:8080/plugins/servlet/samlconsumer" instead of the expected one: "https://dev-atlassian.com/plugins/servlet/samlconsumer".
⚠️ See port 8080 after the Jira hostname in the URL.
Cause
There is a mismatch between the URL in the request and the one expected by Jira and the Identity Provider.
Look at the server.xml file, to see how connectors are configured:
<Connector acceptCount="100" bindOnInit="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192" maxThreads="150"
minSpareThreads="25" port="8080" proxyName="dev-atlassian.com" proxyPort="8080" scheme="https" secure="true"
protocol="HTTP/1.1" redirectPort="8443"
relaxedPathChars="[]|"
relaxedQueryChars="[]|{}^\`"<>" useBodyEncodingForURI="true"
/>The port 8080 in the URL is coming from the "ProxyPort" in the server.xml, it should be "443".
Also, the Jira base URL, needs to match the "proxyName" as well: <jira.baseurl> to be in total: https://dev-atlassian.com</jira.baseurl>.
Solution
Either:
Change the configuration in the SSO to match a valid application in the IdP, following SAML SSO for Jira Data Center applications.
Or change the base URL so it is consistent with the URL configured in the IdP.
ℹ️ If you're unable to log into Jira, Bypass SAML authentication for Jira Data Center.
In our example:
Stop Jira.
Change the "proxyPort" from 8080 to 443 in the server.xml file.
Restart Jira.
Was this helpful?