User unable to log in after enabling SAML Single Sign On for JIRA
Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.
After enabling SAML Single Sign-On (SSO) for JIRA, a user is unable to log in. The following appears in the atlassian-jira
AuthenticationFailedException: Received SAML assertion for user XXX, but the user doesn't exist in the product
- Make sure that the user has been synchronized. It is advisable that a synchronized directory be used for SAML users.
- Make sure that the NameID attribute matches what is expected from the application. For example, this could happen if the IdP returns an email address as a username, but the application uses regular usernames for usernames. The username/NameID attribute as read by the identity provider must match Directory > Configuration > User name attribute as configured in JIRA.
- Check for leading/trailing whitespace in the username. Due to bug in JIRA, - JRASERVER-37508Getting issue details... STATUS , usernames can be unintentionally created with whitespace in the username.
Run the following SQL query to check the user's username in JIRA's database:
SELECT * FROM cwd_user WHERE user_name = '<usernamefromerror>'
Replace <usernamefromerror> with the username reported in the error.
The user does not have permission to log in to JIRA or the username being sent by the IdP does not match the username in JIRA.
Correct the username so it matches what is expected by JIRA. Typically this should be fixed on the IdP's side, making the IdP return the expected user name as the NameId.