Create
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Issue with IdP-Initiated SAML Flow: Invalid Customer SAML Login Callback Request

Roman Khabibullin
Roman Khabibullin October 17, 2024

Hello,

I'm encountering an issue with the IdP-initiated SAML flow. When I attempt to use the IdP-initiated flow, I receive the following error from Jira's SAML callback endpoint:

{"key":"badRequest","context":{"message":"Invalid customer saml login callback request","reason":"SAML Request was not initiated by the service."}}

This error seems to indicate that the flow expects a SAML request, which is typically part of the SP-initiated flow. However, the IdP-initiated flow does not start with a SAML request.

For context, the SP-initiated flow works correctly without any issues. I suspect there may be a structural difference in the SAML response that is expected by Jira for the IdP-initiated flow, which is causing the problem.

Here is an example of the SAML response I’m using for the IdP flow:

Screenshot1.png

Could you please advise if there are specific fields or configurations required for the SAML response in the IdP-initiated flow to be accepted by Jira, or if additional configuration is needed on Jira's end?

Thanks in advance for your help!

 

Answer
Watch
Like Be the first to like this
1046 views

2 answers

1 accepted

0 votes
Answer accepted
Roman Khabibullin
Roman Khabibullin November 1, 2024

When troubleshooting "badRequest: Invalid customer SAML login callback request," it's worth noting that this error can be misleading in IDP-initiated SAML flows if the RelayState parameter isn't set correctly.

In your SAML authentication flow, ensure that the RelayState parameter in the SAML response matches <baseurl>/servicedesk/customer/portals, where <baseurl> should be replaced with your actual public domain (e.g., yourdomain.atlassian.net/servicedesk/customer/portals). This RelayState value is critical because it directs the user to the correct service portal post-authentication, and any discrepancies here can lead to the "badRequest" error.

Setting the correct, public-facing domain in RelayState is essential for a seamless IDP-initiated login experience.

View More Comments
Jason Shawn
Jason Shawn
Contributor
November 19, 2024

Greetings where do you set the RelayState? Is this in B2C or in Atlassian.

 

I am struggling to get this to work and have been dealing with it for over a week. I have followed Microsoft's guide to setup SAML in my custom polices. I am still getting the error in this post. 

Any help will be greatly appreciated. 

Like
Roman Khabibullin
Roman Khabibullin November 20, 2024

RelayState is a parameter in the SAML response sent from the IdP to Jira. To troubleshoot this, use a browser debugging tool like a Chrome extension for SAML (e.g., SAML Chrome Panel) or inspect the network traffic in your browser's developer tools. Look for the form data being posted to Jira from your IdP and verify the RelayState value.

Ensure that the RelayState parameter matches the expected URL format, such as <baseurl>/servicedesk/customer/portals, where <baseurl> is your public domain (e.g., yourdomain.atlassian.net). If the RelayState is missing or incorrect, configure your IdP to include it in the SAML response.

Like
Reply
0 votes
Thor Nicolaï
Thor Nicolaï
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
October 29, 2024

Hi Roman, 

I'm encountering the same issue, have you been able to resolve this issue going forward?

Kind regards.

View More Comments
Roman Khabibullin
Roman Khabibullin October 29, 2024

Not yet, We are still working with the support to find a solution

Like
Thor Nicolaï
Thor Nicolaï
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
November 14, 2024 edited

Hi Roman,

I was using Entra ID for IdP, this was resolved after I reviewed all URL's in my IdP and Atlassian. (screenshot below)

For Atlassian's side, I used below mapping:

 

image.png

Like 2 people like this
Reply

Suggest an answer

Log in or Sign up to answer
Jira Service Desk
Jira Service Management
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
FREE
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Upcoming Jira Service Management Events