It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage
Highlighted

Not able to log in to Jira

Since last Friday only two people unable to access Jira with the screen attachment name "Jirauser".

 

We login through SAML and in AD the user login is success except in jira but he able to access other application.

 

Please let us know if you need any more information

 

 

3 comments

Hi @Sairaj Naidu 

Do have an error message or screenshot describing their error experience?

Regards,

Jon Espen

Kantega SSO

Jirauser.pngWe can't log you in right nowThis may be for a variety of reasons, we suggest trying again.
If that doesn't work, contact your JIRA administrator for help.Try again

Do you use a third party SSO add-on to setup SAML in your Jira?

 

Also, do you see any error messages in you Jira application log related to this? If you do not have access to the Jira server you can use the LastLog add-on to expose the logs in the Jira user interface.

 

Regards,
Jon Espen
Kantega SSO

2019-06-27 17:00:39,496 http-nio-8080-exec-47 ERROR anonymous 1020x3171806x1 suuf8t IP,IP /plugins/servlet/samlconsumer [c.a.p.a.i.web.filter.ErrorHandlingFilter] Received invalid SAML response: Signature validation failed. SAML Response rejected
com.atlassian.plugins.authentication.impl.web.saml.provider.InvalidSamlResponse: Received invalid SAML response: Signature validation failed. SAML Response rejected
at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.lambda$extractSamlResponse$1(OneloginJavaSamlProvider.java:89)
at com.atlassian.plugin.util.ContextClassLoaderSwitchingUtil.runInContext(ContextClassLoaderSwitchingUtil.java:48)
at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.extractSamlResponse(OneloginJavaSamlProvider.java:80)
at com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:87)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:661)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
at com.atlassian.plugin.servlet.DelegatingPluginServlet.service(DelegatingPluginServlet.java:37)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
at com.atlassian.plugin.servlet.ServletModuleContainerServlet.service(ServletModuleContainerServlet.java:45)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
... 53 filtered
at com.atlassian.plugins.authentication.impl.web.filter.ErrorHandlingFilter.doFilter(ErrorHandlingFilter.java:83)
... 3 filtered
at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21)
... 58 filtered
at com.atlassian.jira.security.JiraSecurityFilter.lambda$doFilter$0(JiraSecurityFilter.java:66)
... 1 filtered
at com.atlassian.jira.security.JiraSecurityFilter.doFilter(JiraSecurityFilter.java:64)
... 36 filtered
at com.atlassian.jira.servermetrics.CorrelationIdPopulatorFilter.doFilter(CorrelationIdPopulatorFilter.java:30)
... 10 filtered
at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21)
... 4 filtered

It appears that the users are sent to OneLogin for authentication, and when they are redirected back to Jira your SSO product denies to accept the SAML response message from OneLogin. The reason in your case is that the signature is not valid.

Invalid signature can mean you don't have the public key certificate of the IdP so you can't validate its signature. Did you exchange metadata xml files as part of the OneLogin integration?

It is a bit strange if this only happens for two of your users. Is the the error consistent, and does it always happen when these two users login?

It looks like you use the native SAML features from Atlassian. I work for Kantega SSO, which provide alternative SSO solutions with more configuration options and user provisioning support. Please reach out if you continue to struggle getting the OneLogin integration right and is interested in evaluating alternative SSO solutions.

-Jon Espen
Kantega SSO

We are using SAML single sign-on by Microsoft for all users but only two users are not able to login from 10 days and previously there are able to login and working fine for them

A useful tool for troubleshooting such problems is to use Browser addons that can show the SAML messages. One such tool the SAML Message Decoder for Chrome https://chrome.google.com/webstore/detail/saml-message-decoder/mpabchoaimgbdbbjjieoaeiibojelbhm

You could try to install this and see whether there is something suspicious in the SAML request / response pair when the login fails. 

-Jon Espen
Kantega SSO

Hi,

We found special characters in Display name.

Due to that it is failing.

can you please tell how to solve special characters in Jira.

Thank you,

Sairaj

It is the Microsoft add-on which throws an error message at the parsing and validation of the SAML response here. I believe this happens before user record data is retrieved from Jira and that the problem is independent of both how the user records stored and special characters are handled in Jira. 

-Jon Espen
Kantega SSO

Comment

Log in or Sign up to comment
TAGS
Community showcase
Published in Confluence Cloud

What's New in Confluence Cloud – July 2020 Edition

Here’s another edition of “What’s New” this month in Confluence Cloud. Quickly (and more easily) adjust permission settings We know that sometimes the layers of space permissions and page restric...

760 views 3 8
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you