Problem

After enabling SAML Single Sign-On (SSO) for JIRA, a user is unable to log in. One of the following errors appears in the atlassian-jira.log

AuthenticationFailedException: Received SAML assertion for user XXX, but the user doesn't exist in the product

com.atlassian.plugins.authentication.impl.web.usercontext.AuthenticationFailedException: Received SSO request for user XXXX, but the user does not exist

Diagnosis

Diagnostic Steps

• • Make sure that the user has been synchronized. It is advisable that a synchronized directory be used for SAML users.
  • Make sure that the NameID attribute matches what is expected from the application. For example, this could happen if the IdP returns an email address as a username, but the application uses regular usernames for usernames. The username/NameID attribute as read by the identity provider must match Directory > Configuration > User name attribute as configured in JIRA.
  • Check for leading/trailing whitespace in the username. Due to bug in JIRA,  JRASERVER-37508 - Getting issue details... STATUS , usernames can be unintentionally created with whitespace in the username.
  • Check for leading/trailing whitespace in the SSO configuration screen.

Run the following SQL query to check the user's username in JIRA's database: 

SELECT * FROM cwd_user 
WHERE user_name = '<usernamefromerror>'

 Replace <usernamefromerror> with the username reported in the error. 

Cause

The user does not have permission to log in to JIRA or the username being sent by the IdP does not match the username in JIRA. 

Resolution

Correct the username so it matches what is expected by JIRA. Typically this should be fixed on the IdP's side, making the IdP return the expected user name as the NameId.