Confluence SAML authentication fails with Received SSO request for user, but the user does not exist in Confluence Data Center

Still need help?

The Atlassian Community is here for you.

Ask the community


Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.

Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

When trying to authenticate a user using SSO SAML integration for Confluence Data Center with IDP fails with the below error :

in the logs(atlassian-confluence.log), We see the below errors:

2021-08-18 13:11:18,299 ERROR [http-nio-7990-exec-1] @VS5T83x791x77x0 X.X.X.X,127.0.0.1 "POST /plugins/servlet/samlconsumer HTTP/1.0" c.a.p.a.i.w.f.ErrorHandlingFilter [UUID: f0914a17-cdca-45ba-91fc-6abe459a6eab] Received SSO request for user <username or email>, but the user does not exist
com.atlassian.plugins.authentication.impl.web.usercontext.AuthenticationFailedException: Received SSO request for user <username or email>, but the user does not exist
at com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet.lambda$doPost$2(SamlConsumerServlet.java:112)

Environment

Confluence Data Center 

SSO SAML Integration with IDP (Google IDP, Azure AD etc.,)

Diagnosis

  1. Verify if Username Mapping is correctly set to ${NameID} in SAML configuration Confluence. You can refer to Error 500 and null pointer on a try to login with SAML connector for Bitbucket Data Center for more details on username mapping parameter. 

  2. Verify the SAML responses from your Browser by following the steps documented in How to view SAML responses in your browser for troubleshooting. You will see a similar SAML assertion response from your IDP for NameID 

    <saml2:Subject>
                <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">user@mydomain.com></saml2:NameID>
                <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="ONELOGIN_f47f48d6-351b-4eaf-bc34-f43d55f656c0"
                    NotOnOrAfter="2021-09-01T10:43:46.713Z"
                    Recipient="https://<baseurl>/plugins/servlet/samlconsumer"/></saml2:SubjectConfirmation>
            </saml2:Subject>

    (info) In this case, email id <user@mydomain.com> is sent in SAML response to Confluence. Confluence looks for <user@mydomain.com> as the username to process authentication requests.

  3. Get the user id from the Name ID format of the SAML response and verify if Confluence contains the user with a username matching the Name ID field.

Cause


Confluence performs certain validations to verify if the user specified against NameID from SAML response exists in Confluence matching username. Suppose the NameID field from the SAML response returns <Email ID> and the username for the user in Confluence is set to <firstnamelastname> (for example) and not Email ID. In that case, there is a mismatch of usernames causing the issue.

Solution

Make sure the username matches the NameID format in Confluence for SAML authentication to be successful. This can be configured in the IDP SAML configuration to send a username (instead of an email address) in response to Confluence. If the IDP doesn't support configuring usernames, the next alternative is to change the usernames in Confluence. 

As an example, to configure source attribute in IDP SSO SAML configuration for Azure AD

  1. Login to the Azure portal and navigate to application SSO configuration ( Enterprise Applications → Your application → Set up single sign-on)
  2. Navigate to Attributes & Claims and click Edit
  3. Click on Unique User Identifier (Name ID). 
  4. Edit Unique User Identifier (Name ID) Value 

    By default, the source attribute is set to user.userprincipalname attribute. This is the Email ID attribute in Azure AD. Azure AD sends the user's email ID as a NameID identifier in SAML response to Confluence. 

    Prior selecting user.userprincipalname as the Source Attribute, please make sure that the values of this field match the usernames in Confluence. Otherwise, select some other attribute i.e. user.onpremisessamaccountname

  5. To change the source attribute from EMail ID to username, set the Source attribute to user.displayname. This sends the username as a NameID identifier in SAML response to Confluence.

(info) Please note that the navigation steps may differ in other IDPs, but the attributes can be changed under Attributes, Claims. If there is no option to set the attribute, the changes will be made in Confluence to match the username.

(info) Additionally, if you are working with JIT provisioning and groups are used, you will have to make sure the specific group in Confluence has, at least, Confluence 'can use' permission

Last modified on Oct 30, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.