SAML SSO authentication fails in Bamboo and redirects to the login page
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Users are redirected to the login page in spite of logging in with the correct credentials while using IdP. SAML SSO authentication method stops working.
Environment
Bamboo Data Center version 8.1 or higher connected to Atlassian Crowd for user and group management:
Diagnosis
You may come across an issue while trying to log in to Bamboo when you have configured SAML SSO configuration that it redirects to the login page again.
- Check if you enabled the com.atlassian.crowd.integration.seraph.v25.BambooAuthenticator tag inside <bamboo-install>/atlassian-bamboo/WEB-INF/classes/seraph-config.xml while enabling SSO as mentioned here.
- Also, check if you have correctly configured the SAML SSO in Bamboo as per SAML single sign-on for Atlassian Data Center applications.
- If both of the above are configured, you try to login into the Bamboo UI and it redirects to the login page, then check if you see the below message in the
atlassian-bamboo.logfile:
2023-09-23 04:45:23,119 INFO [http-nio-8085-exec-5 url: /bamboo/plugins/servlet/external-login/1] [AbstractAuthenticationHandler] User is already logged in. Looks like permissions violation. Force re-authentication in IDP
2023-09-23 04:45:25,189 INFO [http-nio-8085-exec-11 url: /bamboo/plugins/servlet/external-login/1] [AbstractAuthenticationHandler] User is already logged in. Looks like permissions violation. Force re-authentication in IDP
2023-09-23 04:45:52,320 INFO [http-nio-8085-exec-2 url: /bamboo/plugins/servlet/external-login/1] [AbstractAuthenticationHandler] User is already logged in. Looks like permissions violation. Force re-authentication in IDP
2023-09-23 04:28:21,267 INFO [http-nio-8085-exec-11 url: /bamboo/plugins/servlet/external-login/1] [AbstractAuthenticationHandler] User is already logged in. Looks like permissions violation. Force re-authentication in IDP
Cause
This is caused by the fact that when Bamboo is connected to an IdP and the com.atlassian.crowd.integration.seraph.v25.BambooAuthenticator is enabled inside <bamboo-install>/atlassian-bamboo/WEB-INF/classes/seraph-config.xml, there is a race condition, where Bamboo is getting authenticated two times, once from IDP and next from Crowd and because of this we get this error: User is already logged in. Looks like permissions violation. Force re-authentication in IDP.
Solution
You can follow the below steps to resolve this issue:
- Edit the <bamboo-install>/atlassian-bamboo/WEB-INF/classes/seraph-config.xml file by uncommenting the Bamboo authenticator and commenting out the Crowd authenticator.
The configuration should be like the below post editing the file:
<authenticator class="com.atlassian.bamboo.user.authentication.BambooAuthenticator"/> ... <!-- <authenticator class="com.atlassian.crowd.integration.seraph.v25.BambooAuthenticator"/> -->- Once the above changes are done, restart Bamboo for the changes to take effect.