Problem

We are using JIRA/Confluence/Bitbucket. In the end of the SAML authentication process, an user receives the error message: ...Response ID XXX has already been used...

The log shows following message:

/plugins/servlet/samlsso [c.r.a.samlsso.servlet.SamlSsoServlet] SAML Processor threw exception
com.resolution.samlprocessor.SAMLProcessorException: com.resolution.samlprocessor.SAMLProcessorException: com.resolution.samlprocessor.SAMLProcessorException: Response ID XXX has already been used.

Solution

This error is triggered through the response uniqueness security check. It rejects a SAMLResponse if the response's ID has already been used in the last hour.

To fix this issue quickly: Deactivate the security check *Enforce response uniqueness* in the plugin configurations under *Advanced Settings*, so the problem should disappear. Please know that disabling this check opens a small security risk.

To find the main issue: Check why this user is using the same SAML Response ID multiple times. In the default Single Sign On process, the ID should always be a new one. Ensure the Identity Provider and proxy settings are correct, so the sent SAML Response to the SAML Single Sign On is not edited/falsified.

You can find the SAML Response ID directly in the first line:

{code} <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://jira-baseurl/plugins/servlet/samlsso" ID="_702f7782-de9f-426c-ae0c-84a07695732a".......{code}

The SAML Response is written to the JIRA log, if the DEBUG logging is enabled:
https://wiki.resolution.de/display/SSSO/Troubleshooting