Received invalid SAML response: is not a valid audience for this Response

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Problem


After configuring JIRA Data Center SAML the following error may be observed:


com.atlassian.plugins.authentication.impl.web.saml.provider.InvalidSamlResponse: Received invalid SAML response: https://jira.atlassian.com is not a valid audience for this Response
	at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.lambda$extractSamlResponse$1(OneloginJavaSamlProvider.java:89)
	at com.atlassian.plugin.util.ContextClassLoaderSwitchingUtil.runInContext(ContextClassLoaderSwitchingUtil.java:48)
	at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.extractSamlResponse(OneloginJavaSamlProvider.java:80)
	at com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:87)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
	at com.atlassian.plugin.servlet.DelegatingPluginServlet.service(DelegatingPluginServlet.java:37)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
	at com.atlassian.plugin.servlet.ServletModuleContainerServlet.service(ServletModuleContainerServlet.java:45)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)

Cause

This indicates a mismatch between the Audience URL(Entity ID) given by JIRA during the SAML configuration and the Identity Provider. In ADFS 3.0 the Audience URL(Entity ID) is referred to as the Relying Party Identifier. These values must match exactly.

If JIRA provides an Audience URL(Entity ID) of:
https://jira.atlassian.com

and the Identity Provider is configured as:
https://jira.atlassian.com/

The Audiences will not be considered matching because of the trailing / in the second URL and the above error will be seen. 

Resolution

Ensure the Identity Provider(IdP) Relying Party Identifier matches character for character with the provided Audience URL(Entity ID) in the JIRA SAML configuration.


Description

After configuring JIRA Data Center SAML the following error may be observed:

com.atlassian.plugins.authentication.impl.web.saml.provider.InvalidSamlResponse: Received invalid SAML response: https://jira.atlassian.com is not a valid audience for this Response

Last modified on Jan 3, 2019

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.