Received invalid SAML response: A valid SubjectConfirmation was not found on this Response: SubjectConfirmationData doesn't match a valid Recipient

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible



Symptoms

After configuring JIRA Data Center SAML the following error may be observed:

The following appears in the atlassian-jira.log

2018-01-25 23:02:01,537 http-nio-8080-exec-13 ERROR USERABC 1382x101603x4 xxxxxx 10.0.0.10,10.0.1.10 /plugins/servlet/samlconsumer [c.a.p.a.i.web.filter.ErrorHandlingFilter] Received invalid SAML response: A valid SubjectConfirmation was not found on this Response: SubjectConfirmationData doesn't match a valid Recipient
com.atlassian.plugins.authentication.impl.web.saml.provider.InvalidSamlResponse: Received invalid SAML response: A valid SubjectConfirmation was not found on this Response: SubjectConfirmationData doesn't match a valid Recipient
	at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.lambda$extractSamlResponse$1(OneloginJavaSamlProvider.java:72)
	at com.atlassian.plugin.util.ContextClassLoaderSwitchingUtil.runInContext(ContextClassLoaderSwitchingUtil.java:48)
	at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.extractSamlResponse(OneloginJavaSamlProvider.java:63)
	at com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:97)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
	at com.atlassian.plugin.servlet.DelegatingPluginServlet.service(DelegatingPluginServlet.java:37)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
	at com.atlassian.plugin.servlet.ServletModuleContainerServlet.service(ServletModuleContainerServlet.java:45)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
	... 52 filtered
	at com.atlassian.plugins.authentication.impl.web.filter.ErrorHandlingFilter.doFilter(ErrorHandlingFilter.java:83)
	... 3 filtered
	at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21)
	... 58 filtered
	at com.atlassian.jira.security.JiraSecurityFilter.lambda$doFilter$0(JiraSecurityFilter.java:76)
	... 1 filtered
	at com.atlassian.jira.security.JiraSecurityFilter.doFilter(JiraSecurityFilter.java:74)
	... 37 filtered
	at com.atlassian.jira.servermetrics.CorrelationIdPopulatorFilter.doFilter(CorrelationIdPopulatorFilter.java:30)
	... 10 filtered
	at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21)
	... 4 filtered
	at com.atlassian.web.servlet.plugin.LocationCleanerFilter.doFilter(LocationCleanerFilter.java:36)
	... 29 filtered
	at com.atlassian.jira.servermetrics.MetricsCollectorFilter.doFilter(MetricsCollectorFilter.java:25)
	... 27 filtered
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:745)

Diagnosis

Environment

  • JIRA Data Center with SAML configured

Diagnostic Steps

  • Retrieve the details from How to view a SAML responses in your browser for troubleshooting for SAML Response
  • Verify the Recipient under SubjectConfirmationData, example

    <saml2:SubjectConfirmationData InResponseTo="_88cexxxxx-xx00-4xxd-bxxd-xxxxxxxxx"
                                                   NotOnOrAfter="2016-09-14T13:40:14.351Z"
                                                   Recipient="http://pp:5990/product/plugins/servlet/samlconsumer"/>

Cause

This indicates a mismatch between the Recipient of the SubjectConfirmationData section received in the SAML Response with compared to the URL used in Jira and can be caused by either:

  1. A mismatch of the base URL configured in the server.xml cause the same error.
    OR
  2. The wrong connector ("JIRA (On-prem)") is being used on OneLogin side

Resolution

Ensure the Recipient of the SubjectConfirmationData returned by the SAML response matches.

Resolution for Cause 1
  • The base URL used in Jira and the server.xml under the proxyName parameter are matching.
Resolution for Cause 2
  • Use the "SAML Test Connector (Advanced)" at OneLogin to configure the integration


Last modified on Apr 5, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.