Problem

After enabling SSO on Jira, users cannot login anymore.

Diagnosis

• Errors with the following pattern appear in the atlassian-jira.log files:

AuthenticationFailedException: Received SAML assertion for user XXX, but the user doesn't exist in the product

• Running the following SQL query at the database which is connected to Jira, : 

SELECT * FROM cwd_user 
WHERE user_name = '<usernamefromerror>'

Please replace <usernamefromerror> with the username that appears in the exception above.

Cause 1

The expected user does not exist on Jira.

Resolution 1

Make sure to create all users on Jira to be able to login using SSO. If there are many users to be created, you can use the experimental POST /rest/api/2/user API call to bulk create users on Jira.

Cause 2

The user exists on Jira, but is not following the expected format from the IdP (e.g. Jira contains the user jdoe, but the IdP expects jdoe@company.com)

Resolution

Correct the username so it matches what is expected by JIRA. Typically this should be fixed on the IdP's side, making the IdP return the expected user name as the NameId

Resolution 2

One of the approaches below can be followed in this case:

• Manually rename the username in Jira's UI
• Use the experimental PUT /rest/api/2/user API call to bulk rename users on Jira
• Change the username attribute at the IdP's side, if possible

The solution below involves the use of a third-party script, therefore it is not officially supported by Atlassian. It was designed by one of our customers which proactively shared his own solution for this problem with us. To make sure that it would work at your Jira environment, please check if the code needs any changing on your side, and also test it in a staging environment first.

• Use the following script mentioned in the warning above, which is designed to update Jira's username to match their e-mail addresses. This solution can be used if the IdP expects a mail address instead of a regular username.