SAML SSO authentication fails in Bamboo when user is not allowed to authenticate to the application in Crowd

Related content

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.

Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Users are unable to authenticate against Bamboo using its built-in SAML SSO feature with the following error message in the <bamboo-home>/logs/atlassian-bamboo.log file:

2022-02-25 10:16:04,539 ERROR [http-nio-8085-exec-22] [ErrorHandlingFilter] [UUID: 399c8d80-4ff1-4649-a196-9694d2a48cae] Error authenticating user
com.atlassian.plugins.authentication.sso.web.usercontext.AuthenticationFailedException: Error authenticating user
	at com.atlassian.plugins.authentication.sso.web.usercontext.impl.embeddedcrowd.EmbeddedCrowdPrincipalResolver.resolvePrincipal(EmbeddedCrowdPrincipalResolver.java:55)
	at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:109)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:681)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
	at com.atlassian.plugin.servlet.DelegatingPluginServlet.service(DelegatingPluginServlet.java:37)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
    ...
Caused by: com.atlassian.crowd.exception.runtime.OperationFailedException: Error from Crowd server propagated to here via REST API (check the Crowd server logs for details): User is not allowed to authenticate with the application
	at com.atlassian.crowd.embedded.core.CrowdServiceImpl.userAuthenticated(CrowdServiceImpl.java:113)
    ...
Caused by: com.atlassian.crowd.integration.rest.service.CrowdRestException: User is not allowed to authenticate with the application
	at com.atlassian.crowd.integration.rest.service.RestExecutor$MethodExecutor.throwError(RestExecutor.java:549)
	at com.atlassian.crowd.integration.rest.service.RestExecutor$MethodExecutor.andReceive(RestExecutor.java:373)
	at com.atlassian.crowd.integration.rest.service.RestCrowdClient.userAuthenticated(RestCrowdClient.java:155)
	at com.atlassian.crowd.directory.RemoteCrowdDirectory.userAuthenticated(RemoteCrowdDirectory.java:833)
	at com.atlassian.crowd.directory.RemoteDirectory.userAuthenticated(RemoteDirectory.java:590)
	at com.atlassian.crowd.directory.DbCachingRemoteDirectory.userAuthenticated(DbCachingRemoteDirectory.java:317)
	at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.userAuthenticated(DirectoryManagerGeneric.java:310)
    ...

Environment

Diagnosis

  • Check what groups have been granted access to authenticate against your Bamboo application inside Crowd under Applications > $application_name > Directories & groups.
    1. If there any no groups and the option "Allow all users from this directory to authenticate" haven't been checked then no users from that directory will be able to log in to Bamboo.
    2. If there are groups listed there, check if the user(s) having trouble logging in to Bamboo using the SAML SSO feature belong to any of the groups. If they're getting the error above when trying to log in they likely don't belong to any of the groups listed in that page.

Cause

This is caused by the fact that the users attempting to log in to Bamboo via SAML SSO do not have permissions to authenticate against the Bamboo application inside Crowd under the Applications > $application_name > Directories & groups page.

This can happen even if the users belong to a group or have been granted direct access to Bamboo inside the Bamboo administration > Overview > Security > Global permissions page. This is because groups that are allowed to authenticate against a certain application are controlled in the Applications > $application_name > Directories & groups page inside Crowd. Users must belong to at least one of the groups that have been granted access to the Bamboo application inside Crowd to be able to log in to Bamboo.

Solution

There are a few different ways to solve this problem. You can choose any of the following according to your needs:

The following actions need to be performed inside Crowd, and not Bamboo.

  • Add users that should have access to Bamboo to any of the groups that have been granted access to authenticate against Bamboo inside Applications > $application_name > Directories & groups > $directory_name > Actions > Configure authentication.
  • Add a new group to Applications > $application_name > Directories & groups > $directory_name > Actions > Configure authentication that contains the users that you want to give access to Bamboo.
  • If you wish to allow all users from a certain directory to authenticate against Bamboo check the option "Allow all users from this directory to authenticate" from Applications > $application_name > Directories & groups > $directory_name > Actions > Configure authentication.


Last modified on Feb 25, 2022

Was this helpful?

Yes
No
Provide feedback about this article

Related content

Powered by Confluence and Scroll Viewport.