Important Update Effective February 1, 2024!
Due to recent changes in Jira and Confluence, we've made the tough decision to discontinue the OpenID Connect (OIDC)/OAuth app and no longer provide new versions for the newest Jira/Confluence releases as of January 31, 2024.
This is due to some necessary components no longer shipping with Jira/Confluence, which would require some extensive rewrites of the OIDC App.
Error: Response ID XXX has already been used.
Problem
We are using Jira / Confluence / Bitbucket Server or Data Center. At the end of the SAML authentication process a user receives the error message:
Response ID XXX has already been used
The log shows the following message:
/plugins/servlet/samlsso [c.r.a.samlsso.servlet.SamlSsoServlet] SAML Processor threw exception
com.resolution.samlprocessor.SAMLProcessorException: com.resolution.samlprocessor.SAMLProcessorException: com.resolution.samlprocessor.SAMLProcessorException: Response ID XXX has already been used.Solution
This error is triggered by the response uniqueness security check. It rejects a SAML Response if the response's ID has already been used in the last hour.
To temporarily fix the issue: Deactivate the security check Enforce response uniqueness in the SAML SSO plugin configurations under Service Provider → Security
Disabling this check makes the instance vulnerable to replay attacks and should hence not be used other than for workaround purposes,
until the main root cause has been fixed (see below).
To fix the main issue: Check why this user is using the same SAML Response ID multiple times. In the default Single Sign On process, the ID should always be a new one.
Make sure that the Identity Provider and proxy settings are correct, so the SAML Response sent to the instance using SAML Single Sign On is always unique.
You can find the SAML Response ID in the first line of the SAML response:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://jira-baseurl/plugins/servlet/samlsso" ID="_702f7782-de9f-426c-ae0c-84a07695732a" ...The SAML Response is written to every authentication tracker ( read here: Troubleshooting) or to the Atlassian log file, if DEBUG logging is enabled (Enable detailed logging v2.0.x).