Users unable to access Jira after enabling SSO

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Problem

After enabling SSO on Jira, users cannot login anymore.

Diagnosis

  • Errors with the following pattern appear in the atlassian-jira.log files:

1 AuthenticationFailedException: Received SAML assertion for user XXX, but the user doesn't exist in the product

  • Running the following SQL query at the database which is connected to Jira, :

1 2 SELECT * FROM cwd_user WHERE user_name = '<usernamefromerror>'

⚠️ Please replace <usernamefromerror> with the username that appears in the exception above.

Cause 1

The expected user does not exist on Jira.

Resolution 1

Make sure to create all users on Jira to be able to login using SSO. If there are many users to be created, you can use the experimental POST /rest/api/2/user API call to bulk create users on Jira.

Cause 2

The user exists on Jira, but is not following the expected format from the IdP (e.g. Jira contains the user jdoe, but the IdP expects jdoe@company.com)

Resolution

Correct the username so it matches what is expected by JIRA. Typically this should be fixed on the IdP's side, making the IdP return the expected user name as the NameId

Resolution 2

One of the approaches below can be followed in this case:

  • Manually rename the username in Jira's UI

  • Use the experimental PUT /rest/api/2/user API call to bulk rename users on Jira

  • Change the username attribute at the IdP's side, if possible

⚠️ The solution below involves the use of a third-party script, therefore it is not officially supported by Atlassian. It was designed by one of our customers which proactively shared his own solution for this problem with us. To make sure that it would work at your Jira environment, please check if the code needs any changing on your side, and also test it in a staging environment first.

  • Use the following script mentioned in the warning above, which is designed to update Jira's username to match their e-mail addresses. This solution can be used if the IdP expects a mail address instead of a regular username.

Updated on April 8, 2025
Platform
Data Center only
Product
Jira Software Data Center
On this pageProblemDiagnosisCause 1Resolution 1Cause 2Resolution 2

Still need help?

The Atlassian Community is here for you.
Ask the Community