Summary

A user trying to log in to Atlassian Cloud via SAML SSO receives the error message "Whoops! The email address you entered can't be used to log in here."

Environment

Atlassian users set up for SAML SSO authentication for logging in to Atlassian products.

Cause

This error is generally returned when an incorrect email address is sent by IDP for the NameID attribute in the SAML response. For logging in users via SAML SSO, Atlassian identity platform looks at the NameID attribute to match the email address of the user that is trying to log in. If the email address sent by IDP is not correct then the user receives this error message.

Solution

Check the email address mapped to the NameID attribute at the IDP and confirm that it is the same as the email address used for the log-in attempt. As per the defined mapping, the IDP picks up the email address from the user profile and sends it back to Atlassian as NameID attribute in the SAML response. Correcting this value at IDP should sort the issue here for user login. 

• For Azure, the NameID attribute is defined by the Unique User Identifier attribute. This mapping can be found at Azure by navigating to Enterprise Applications > Atlassian Cloud application > Single sign-on > Attributes & Claims
• For Okta,  the NameID attribute is defined by the Application Username format mapping. This mapping can be found at Okta by navigating to Applications > Atlassian Cloud application > Sign-on > Credential details