SAML login fails with "Invalid issuer in the Assertion/Response"

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Problem

After setting up SAML with Jira Data Center, the user is redirected to Jira but is not logged in. 

The following appears in atlassian-jira.log:

2018-12-04 08:15:13,453 http-nio-8080-exec-12 ERROR anonymous 495x88791x1 14d0tmf 10.158.3.30,10.159.134.14 /plugins/servlet/samlconsumer [c.o.saml2.authn.SamlResponse] Invalid issuer in the Assertion/Response
2018-12-04 08:15:13,453 http-nio-8080-exec-12 ERROR anonymous 495x88791x1 14d0tmf 10.158.3.30,10.159.134.14 /plugins/servlet/samlconsumer [c.onelogin.saml2.Auth] processResponse error. invalid_response
2018-12-04 08:15:13,453 http-nio-8080-exec-12 ERROR anonymous 495x88791x1 14d0tmf 10.158.3.30,10.159.134.14 /plugins/servlet/samlconsumer [c.a.p.a.i.web.filter.ErrorHandlingFilter] Received invalid SAML response: Invalid issuer in the Assertion/Response
com.atlassian.plugins.authentication.impl.web.saml.provider.InvalidSamlResponse: Received invalid SAML response: Invalid issuer in the Assertion/Response

Diagnosis

Cause

Invalid issuer in the Assertion/Response suggests that the issuer value in the SAML assertion does not match the entity ID. 

The difference can be as simple as the protocol in the URL (https vs http). 

Resolution

Make sure both the Single sign-on issuer in Jira and the Issuer set in the SAML assertion by the IdP are exactly the same. A trailing white space can result in an 

InvalidSamlResponse. There is a suggestion to strip trailing whitespaces from the Single sign-on issuer field: JRASERVER-69492.



DescriptionSAML login fails with "Invalid issuer in the Assertion/Response"
ProductJira, Confluence, Bitbucket

Last modified on Jun 17, 2019

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.