Cannot login to Atlassian via Entra SSO

When i try to login on our organization i am met with the following error:

Hmm... We're having trouble logging you in.

We're having trouble logging you in. There seems to be an issue with your identity provider. Wait a few moments, then try again.

e96122d3-0b8f-4347-8eeb-9f765d210dcf

This recurs on all browsers with cleared cache and site data.

In the browser I can see:
/error?error=access_denied&error_description=Invalid%20thumbprint&state

Due to this fact I cannot open a case...... and cannot get in contact with Atlassian support Also none of the admin can get to the admin section because they need to login.

Also, productivity is affected by this.

I had to create this new account to be able to raise this question in the community

2 answers

1 vote

@Rachel Backup ,

I've flagged this question for an Atlassian engineer to look at. This might take a little while though for them to look at.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

There still Heroes here :)

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

0 votes

Hello @Rachel Backup

Sorry to hear that...

That error is basically Atlassian saying: “I don’t trust the SAML certificate your IdP is using.”
The clue is the URL you saw: Invalid thumbprint. That almost always points to a SAML signing certificate mismatch in Microsoft Entra (Azure AD) SSO.

What usually causes it:

Entra rotated/renewed the SAML signing certificate (or switched primary/secondary).
Someone changed the Enterprise App / SSO config and the cert in Atlassian didn’t get updated.
Metadata/cert simply got out of sync.

What to do (the fix)

You’ll need someone who can still access Entra admin center:
Entra → Enterprise applications → your Atlassian app → Single sign-on (SAML)
Go to SAML Signing Certificate and download/copy the current active certificate.
Atlassian Access / Org security (Identity provider)
Update the IdP config with that same signing certificate (the one Entra is actually using), save, and test again.

The “we can’t log in to fix it” problem

If all admins are forced through SSO, you’re locked out until:

you use a break-glass admin (an Atlassian admin account not enforced by SSO), or
you contact Atlassian Support to help you regain admin access so you can update the IdP cert.

Since you already created this separate account, use it to raise a support request under Login / SSO / Atlassian Access and include:

the error text
the request ID (the GUID you posted)
and that the browser shows Invalid thumbprint

That’s usually enough for them to route it correctly.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Thank you Arkadiusz,

however, where can i raise that support ticket?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

I only have to option to ask this question here because:

Get help from your site admin

If you need technical support, ask your site admin to file a request on your behalf. Only Atlassian Account admins, billing contacts, and technical contacts can create support requests for Atlassian Account.

i am the site admin..........

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

@Rachel Backup

Yep, you’re right, and that’s the nasty part: this is the Community forum, and Atlassian Support won’t take a support request from a post here. Normally you’d open a ticket from admin.atlassian.com, but because SSO is blocking all admins, you can’t.

So you basically have two realistic paths:

Fix it from Entra (fastest if you can)
Since the error shows “Invalid thumbprint”, it’s almost always the SAML signing certificate in Entra not matching what Atlassian expects. If you (or your Entra/IAM team) can access Entra admin center, check the Atlassian Enterprise App → SAML signing certificate. If a cert rotated recently, switching back / confirming the active cert is often what gets you back in.

Use Atlassian’s “can’t log in / SSO recovery” contact route
When all admins are locked out, you can’t use the normal support portal flow. You need the account/login recovery route (SSO lockout). That’s the only way Atlassian will handle an org-wide SSO lockout when you can’t authenticate as an admin.

When you contact them, include:

your site URL

the error “Invalid thumbprint”

the request ID GUID from the error page

I know this isn’t the answer you want, but the important bit is: Support won’t accept a case from Community, so you either fix the cert from Entra or use the official login/SSO recovery channel.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Forums

Q&A

Community resources

Support

Top groups

Community resources

Support

Learn

Community resources

Support

Events

Community resources

Support

Cannot login to Atlassian via Entra SSO

Hmm... We're having trouble logging you in.

2 answers

Get help from your site admin

Suggest an answer

Was this helpful?

Thanks!

TAGS

Atlassian Community Events