Important Update Effective February 1, 2024!
Due to recent changes in Jira and Confluence, we've made the tough decision to discontinue the OpenID Connect (OIDC)/OAuth app and no longer provide new versions for the newest Jira/Confluence releases as of January 31, 2024.
This is due to some necessary components no longer shipping with Jira/Confluence, which would require some extensive rewrites of the OIDC App.
Important Update! This app will be discontinued soon!
Due to recent changes in Jira, which no longer ships with some components required for our Read Receipts app to run, we've made the tough decision to discontinue the app, as of Februar 5, 2025.
Important Update! This app will be discontinued soon!
We've made the tough business decision to discontinue the app, as of January 11, 2025.
Error: Expected SAML-message urn:oasis:names:tc:SAML:2.0:status:Success, but urn:oasis:names:tc:SAML::2.0:status:Responder
Problem
In the end of the SAML authentication process, the user gets the following error messages:
Expected SAML-message with status urn:oasis:names:tc:SAML:2.0:status:Success, but the status was urn:oasis:names:tc:SAML::2.0:status:Responder
Solution
To be able to do a SSO authentication, the SAML add-on needs to get back the SAML Response status code urn:oasis:names:tc:SAML:2.0:status:Success from the Identity Provider.
The status urn:oasis:names:tc:SAML:2.0:status:Responder indicates, that the Identity Provider blocked the authentication because of wrong/missing user permissions or service provider configurations.
If only one/a couple of users are affected
Check the user's permissions at the Identity Provider. Mostly a permission to get access to the SAML SSO service provider is missing, which leads to this error.
If (almost) all users are affected
- Very often there is a lack of SAML SSO specific information missing on the Identity Provider's Service Provider configurations. In this case, please update your Identity Provider with the newest SAML SSO metadata information (...plugins/servlet/samlsso/metadata).
- The SAML Request signing can sometimes lead to Responder error messages. Try to turn it off and check if it helps:
- Disable the Sign Authentication Requests checkbox (SAML SSO configurations -> Identity Providers -> Security Settings).
- Switch to the Service Provider settings and disable the Include Signing Certificate in Metadata checkbox (under Signing and encryption).
- Update the SAML SSO Service Provider settings on your Identity Provider with the changed SAML SSO Metadata information (For ADFS: Select the associated Reyling Party -> Update from Federation Metadata... Ensure that after updating, the Signature is correctly removed and now empty: Relying Party properties -> Signature)
- Try the Single Sign On again.
Turning off the SAML Request Signing ist not recommended, because it reduces the authentications security. We highly recommend to turn it on again after your tests. If the problem is actually related to the authentication signing, please have a look to your Identity Provider's settings/logs and try to figure out why it's not supporting/accepting signed authentication request. For additional help, create a support request in our customer portal and attach your Identity Provider log file to the request: Customer Portal