Received invalid SAML response: A valid SubjectConfirmation was not found on this Response: SubjectConfirmationData doesn't match a valid Recipient
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Symptoms
After configuring JIRA Data Center SAML the following error may be observed:
The following appears in the atlassian-
jira.log
2018-01-25 23:02:01,537 http-nio-8080-exec-13 ERROR USERABC 1382x101603x4 xxxxxx 10.0.0.10,10.0.1.10 /plugins/servlet/samlconsumer [c.a.p.a.i.web.filter.ErrorHandlingFilter] Received invalid SAML response: A valid SubjectConfirmation was not found on this Response: SubjectConfirmationData doesn't match a valid Recipient
com.atlassian.plugins.authentication.impl.web.saml.provider.InvalidSamlResponse: Received invalid SAML response: A valid SubjectConfirmation was not found on this Response: SubjectConfirmationData doesn't match a valid Recipient
at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.lambda$extractSamlResponse$1(OneloginJavaSamlProvider.java:72)
at com.atlassian.plugin.util.ContextClassLoaderSwitchingUtil.runInContext(ContextClassLoaderSwitchingUtil.java:48)
at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.extractSamlResponse(OneloginJavaSamlProvider.java:63)
at com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:97)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at com.atlassian.plugin.servlet.DelegatingPluginServlet.service(DelegatingPluginServlet.java:37)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at com.atlassian.plugin.servlet.ServletModuleContainerServlet.service(ServletModuleContainerServlet.java:45)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
... 52 filtered
at com.atlassian.plugins.authentication.impl.web.filter.ErrorHandlingFilter.doFilter(ErrorHandlingFilter.java:83)
... 3 filtered
at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21)
... 58 filtered
at com.atlassian.jira.security.JiraSecurityFilter.lambda$doFilter$0(JiraSecurityFilter.java:76)
... 1 filtered
at com.atlassian.jira.security.JiraSecurityFilter.doFilter(JiraSecurityFilter.java:74)
... 37 filtered
at com.atlassian.jira.servermetrics.CorrelationIdPopulatorFilter.doFilter(CorrelationIdPopulatorFilter.java:30)
... 10 filtered
at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21)
... 4 filtered
at com.atlassian.web.servlet.plugin.LocationCleanerFilter.doFilter(LocationCleanerFilter.java:36)
... 29 filtered
at com.atlassian.jira.servermetrics.MetricsCollectorFilter.doFilter(MetricsCollectorFilter.java:25)
... 27 filtered
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Diagnosis
Environment
- JIRA Data Center with SAML configured
Diagnostic Steps
- Retrieve the details from How to view a SAML responses in your browser for troubleshooting for SAML Response
Verify the Recipient under SubjectConfirmationData, example
<saml2:SubjectConfirmationData InResponseTo="_88cexxxxx-xx00-4xxd-bxxd-xxxxxxxxx" NotOnOrAfter="2016-09-14T13:40:14.351Z" Recipient="http://pp:5990/product/plugins/servlet/samlconsumer"/>
Cause
This indicates a mismatch between the Recipient of the SubjectConfirmationData section received in the SAML Response with compared to the URL used in Jira and can be caused by either:
- A mismatch of the base URL configured in the
server.xml
cause the same error.
OR - The wrong connector ("JIRA (On-prem)") is being used on OneLogin side
Resolution
Ensure the Recipient of the SubjectConfirmationData returned by the SAML response matches.
Resolution for Cause 1
- The base URL used in Jira and the
server.xml
under the proxyName parameter are matching.
Resolution for Cause 2
- Use the "SAML Test Connector (Advanced)" at OneLogin to configure the integration