The Assertion of the Response is not signed and the SP requires it

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community


Problem

When logging in with SAML for Data Center you can't authenticate and receive the following error in the atlassian-bitbucket.log

2017-09-21 12:26:11,880 ERROR [http-nio-7990-exec-2] @1MAHJEQx746x27x0 16nwgem 172.18.0.1,172.18.0.3 "POST /plugins/servlet/samlconsumer HTTP/1.1" c.a.p.a.i.w.f.ErrorHandlingFilter Received invalid SAML response: The Assertion of the Response is not signed and the SP requires it
com.atlassian.plugins.authentication.impl.web.saml.provider.InvalidSamlResponse: Received invalid SAML response: The Assertion of the Response is not signed and the SP requires it
	at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.lambda$extractSamlResponse$1(OneloginJavaSamlProvider.java:89)
	at com.atlassian.plugin.util.ContextClassLoaderSwitchingUtil.runInContext(ContextClassLoaderSwitchingUtil.java:48)
	at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.extractSamlResponse(OneloginJavaSamlProvider.java:80)
	at com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:87)
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
	at com.atlassian.analytics.client.filter.UniversalAnalyticsFilter.doFilter(UniversalAnalyticsFilter.java:92)
	at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:39)
	at com.atlassian.plugins.authentication.impl.web.filter.ErrorHandlingFilter.doFilter(ErrorHandlingFilter.java:8
(truncated)


Cause

  1. The IDP signs the Response only, but not the Assertion. Currently Bitbucket requires the Assertion to be signed, so once the issuer check passes, the authentication fails with an error: "The Assertion of the Response is not signed and the SP requires it". 
  2. Trailing whitespace characters for com.atlassian.plugins.authentication.samlconfig.sso-issuer and com.atlassian.plugins.authentication.samlconfig.sso-url.  

Resolution

  1. Configure the SAML identity provider to provide a signed Assertion.There should be a drop down option similar to the below:
  2. Remove any white spaces in Bitbucket's SAML configuration. 

 

Last modified on Nov 10, 2017

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.