SAML SSO authentication failure with JIT in Bitbucket Data Center: 'Received SSO request for user, but the user is not permitted to log in'

Summary

SAML SSO integration with JIT (Just In Time) option enabled in Bitbucket Data Center throws error "We can't log you in right now."

In the logs, we see the error:

Environment

Bitbucket Data Center 7.17.16

SAML SSO Integration with IDP (Google IDP, Azure AD etc.)

Diagnosis

For "User is not permitted to log in", please verify following points:

1. Get the user id from the Name ID format of the SAML response and verify if Bitbucket contains the user with a username matching the Name ID field.

2. If the user is present in Bitbucket, Does the Group to which user should belong to has been created in Bitbucket (which should be similar to the Group assigned in IDP for Groups or groups attribute)?

3. If the user is part of a Group in Bitbucket as mentioned in step 2, Does Group holds valid permissions?

Cause

This issue occurs when the JIT option is enabled in SAML SSO configuration and the Group which should be created in Bitbucket before the User login to Bitbucket, doesn't have added in the "Global Permission" → "Groups" section in Bitbucket.

Solution

You need to make sure that the Group has been added to the Bitbucket → Global Permissions → Group access section and that it has the required permissions.