SAML login fails with "Invalid issuer in the Assertion/Response"
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Problem
After setting up SAML with Jira Data Center, the user is redirected to Jira but is not logged in.
The following appears in atlassian-jira.log:
2018-12-04 08:15:13,453 http-nio-8080-exec-12 ERROR anonymous 495x88791x1 14d0tmf 10.158.3.30,10.159.134.14 /plugins/servlet/samlconsumer [c.o.saml2.authn.SamlResponse] Invalid issuer in the Assertion/Response
2018-12-04 08:15:13,453 http-nio-8080-exec-12 ERROR anonymous 495x88791x1 14d0tmf 10.158.3.30,10.159.134.14 /plugins/servlet/samlconsumer [c.onelogin.saml2.Auth] processResponse error. invalid_response
2018-12-04 08:15:13,453 http-nio-8080-exec-12 ERROR anonymous 495x88791x1 14d0tmf 10.158.3.30,10.159.134.14 /plugins/servlet/samlconsumer [c.a.p.a.i.web.filter.ErrorHandlingFilter] Received invalid SAML response: Invalid issuer in the Assertion/Response
com.atlassian.plugins.authentication.impl.web.saml.provider.InvalidSamlResponse: Received invalid SAML response: Invalid issuer in the Assertion/Response
Diagnosis
Review the Single sign-on issuer (a.k.a. entity ID) in your SAML setup on the Jira side.
Run through How to view a SAML responses in your browser for troubleshooting and review the Issuer in the SAML assertion.
Cause
Invalid issuer in the Assertion/Response suggests that the issuer value in the SAML assertion does not match the entity ID.
The difference can be as simple as the protocol in the URL (https vs http).
Resolution
Make sure both the Single sign-on issuer in Jira and the Issuer set in the SAML assertion by the IdP are exactly the same. A trailing white space can result in an
InvalidSamlResponse. There is a suggestion to strip trailing whitespaces from the Single sign-on issuer field: JRASERVER-69492.