User unable to log in after enabling SAML Single Sign On for Jira Data Center

Related content

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.

Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Problem

After enabling SAML Single Sign-On (SSO) for JIRA, a user is unable to log in. One of the following errors appears in the atlassian-jira.log

AuthenticationFailedException: Received SAML assertion for user XXX, but the user doesn't exist in the product
com.atlassian.plugins.authentication.impl.web.usercontext.AuthenticationFailedException: Received SSO request for user XXXX, but the user does not exist


Diagnosis

Diagnostic Steps

    • Make sure that the user has been synchronized. It is advisable that a synchronized directory be used for SAML users.
    • Make sure that the NameID attribute matches what is expected from the application. For example, this could happen if the IdP returns an email address as a username, but the application uses regular usernames for usernames. The username/NameID attribute as read by the identity provider must match Directory > Configuration > User name attribute as configured in JIRA.
    • Check for leading/trailing whitespace in the username. Due to bug in JIRA, JRASERVER-37508 - JIRA Allows The Creation of Usernames With Whitespace, usernames can be unintentionally created with whitespace in the username.
    • Check for leading/trailing whitespace in the SSO configuration screen.

Run the following SQL query to check the user's username in JIRA's database: 

SELECT * FROM cwd_user 
WHERE user_name = '<usernamefromerror>'

(warning) Replace <usernamefromerror> with the username reported in the error. 

Cause

The user does not have permission to log in to JIRA or the username being sent by the IdP does not match the username in JIRA. 

Resolution

Correct the username so it matches what is expected by JIRA. Typically this should be fixed on the IdP's side, making the IdP return the expected user name as the NameId.


Last modified on Mar 19, 2025

Was this helpful?

Yes
No
Provide feedback about this article

Related content

Powered by Confluence and Scroll Viewport.