User unable to log in after enabling SAML Single Sign On for JIRA

Still need help?

The Atlassian Community is here for you.

Ask the community

This article only applies to the Atlassian server platform. Learn more about the differences between cloud and server.

Problem

After enabling SAML Single Sign-On (SSO) for JIRA, a user is unable to log in. The following appears in the atlassian-jira.log

AuthenticationFailedException: Received SAML assertion for user XXX, but the user doesn't exist in the product

Diagnosis

Diagnostic Steps

    • Make sure that the user has been synchronized. It is advisable that a synchronized directory be used for SAML users.
    • Make sure that the NameID attribute matches what is expected from the application. For example, this could happen if the IdP returns an email address as a username, but the application uses regular usernames for usernames. The username/NameID attribute as read by the identity provider must match Directory > Configuration > User name attribute as configured in JIRA.
    • Check for leading/trailing whitespace in the username. Due to bug in JIRA,  JRASERVER-37508 - Getting issue details... STATUS , usernames can be unintentionally created with whitespace in the username.

Run the following SQL query to check the user's username in JIRA's database: 

SELECT * FROM cwd_user 
WHERE user_name = '<usernamefromerror>'

(warning) Replace <usernamefromerror> with the username reported in the error. 

Cause

The user does not have permission to log in to JIRA or the username being sent by the IdP does not match the username in JIRA. 

Resolution

Correct the username so it matches what is expected by JIRA. Typically this should be fixed on the IdP's side, making the IdP return the expected user name as the NameId.

 

Last modified on Jul 5, 2017

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.