Not able to log in to Jira

Sairaj Naidu June 27, 2019

Since last Friday only two people unable to access Jira with the screen attachment name "Jirauser".

 

We login through SAML and in AD the user login is success except in jira but he able to access other application.

 

Please let us know if you need any more information

 

 

3 comments

Jon Espen Ingvaldsen Kantega SSO
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 27, 2019

Hi @Sairaj Naidu 

Do have an error message or screenshot describing their error experience?

Regards,

Jon Espen

Kantega SSO

Sairaj Naidu June 27, 2019

Jirauser.pngWe can't log you in right nowThis may be for a variety of reasons, we suggest trying again.
If that doesn't work, contact your JIRA administrator for help.Try again

Jon Espen Ingvaldsen Kantega SSO
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 27, 2019

Do you use a third party SSO add-on to setup SAML in your Jira?

 

Also, do you see any error messages in you Jira application log related to this? If you do not have access to the Jira server you can use the LastLog add-on to expose the logs in the Jira user interface.

 

Regards,
Jon Espen
Kantega SSO

Sairaj Naidu June 27, 2019

2019-06-27 17:00:39,496 http-nio-8080-exec-47 ERROR anonymous 1020x3171806x1 suuf8t IP,IP /plugins/servlet/samlconsumer [c.a.p.a.i.web.filter.ErrorHandlingFilter] Received invalid SAML response: Signature validation failed. SAML Response rejected
com.atlassian.plugins.authentication.impl.web.saml.provider.InvalidSamlResponse: Received invalid SAML response: Signature validation failed. SAML Response rejected
at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.lambda$extractSamlResponse$1(OneloginJavaSamlProvider.java:89)
at com.atlassian.plugin.util.ContextClassLoaderSwitchingUtil.runInContext(ContextClassLoaderSwitchingUtil.java:48)
at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.extractSamlResponse(OneloginJavaSamlProvider.java:80)
at com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:87)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:661)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
at com.atlassian.plugin.servlet.DelegatingPluginServlet.service(DelegatingPluginServlet.java:37)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
at com.atlassian.plugin.servlet.ServletModuleContainerServlet.service(ServletModuleContainerServlet.java:45)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
... 53 filtered
at com.atlassian.plugins.authentication.impl.web.filter.ErrorHandlingFilter.doFilter(ErrorHandlingFilter.java:83)
... 3 filtered
at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21)
... 58 filtered
at com.atlassian.jira.security.JiraSecurityFilter.lambda$doFilter$0(JiraSecurityFilter.java:66)
... 1 filtered
at com.atlassian.jira.security.JiraSecurityFilter.doFilter(JiraSecurityFilter.java:64)
... 36 filtered
at com.atlassian.jira.servermetrics.CorrelationIdPopulatorFilter.doFilter(CorrelationIdPopulatorFilter.java:30)
... 10 filtered
at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21)
... 4 filtered

Jon Espen Ingvaldsen Kantega SSO
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 27, 2019

It appears that the users are sent to OneLogin for authentication, and when they are redirected back to Jira your SSO product denies to accept the SAML response message from OneLogin. The reason in your case is that the signature is not valid.

Invalid signature can mean you don't have the public key certificate of the IdP so you can't validate its signature. Did you exchange metadata xml files as part of the OneLogin integration?

It is a bit strange if this only happens for two of your users. Is the the error consistent, and does it always happen when these two users login?

It looks like you use the native SAML features from Atlassian. I work for Kantega SSO, which provide alternative SSO solutions with more configuration options and user provisioning support. Please reach out if you continue to struggle getting the OneLogin integration right and is interested in evaluating alternative SSO solutions.

-Jon Espen
Kantega SSO

Sairaj Naidu June 27, 2019

We are using SAML single sign-on by Microsoft for all users but only two users are not able to login from 10 days and previously there are able to login and working fine for them

Jon Espen Ingvaldsen Kantega SSO
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 27, 2019

A useful tool for troubleshooting such problems is to use Browser addons that can show the SAML messages. One such tool the SAML Message Decoder for Chrome https://chrome.google.com/webstore/detail/saml-message-decoder/mpabchoaimgbdbbjjieoaeiibojelbhm

You could try to install this and see whether there is something suspicious in the SAML request / response pair when the login fails. 

-Jon Espen
Kantega SSO

Sairaj Naidu June 27, 2019

Hi,

We found special characters in Display name.

Due to that it is failing.

can you please tell how to solve special characters in Jira.

Thank you,

Sairaj

Jon Espen Ingvaldsen Kantega SSO
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 28, 2019

It is the Microsoft add-on which throws an error message at the parsing and validation of the SAML response here. I believe this happens before user record data is retrieved from Jira and that the problem is independent of both how the user records stored and special characters are handled in Jira. 

-Jon Espen
Kantega SSO

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events