Important Update Effective February 1, 2024!
Due to recent changes in Jira and Confluence, we've made the tough decision to discontinue the OpenID Connect (OIDC)/OAuth app and no longer provide new versions for the newest Jira/Confluence releases as of January 31, 2024.
This is due to some necessary components no longer shipping with Jira/Confluence, which would require some extensive rewrites of the OIDC App.
Important Update! This app will be discontinued soon!
Due to recent changes in Jira, which no longer ships with some components required for our Read Receipts app to run, we've made the tough decision to discontinue the app, as of Februar 5, 2025.
Important Update! This app will be discontinued soon!
We've made the tough business decision to discontinue the app, as of January 11, 2025.
Error: Expected SAML-message urn:oasis:names:tc:SAML:2.0:status:Success, but urn:oasis:names:tc:SAML::2.0:status:Responder
Problem
In the end of the SAML authentication process, the user gets the following error messages:
Expected SAML-message with status urn:oasis:names:tc:SAML:2.0:status:Success, but the status was urn:oasis:names:tc:SAML::2.0:status:Responder
Solution
To be able to do a SSO authentication, the SAML add-on for Atlassian Data Center and Server applications needs to get back the SAML Response status code urn:oasis:names:tc:SAML:2.0:status:Success from the Identity Provider.
The status urn:oasis:names:tc:SAML:2.0:status:Responder indicates, that the Identity Provider blocked the authentication because of wrong/missing user permissions or service provider configurations.
If only one/a couple of users of the Atlassian Data Center app are affected
Check the user's permissions at the Identity Provider. Mostly a permission to get access to the SAML SSO service provider is missing, which leads to this error.
Below are some examples of what you see in the SAML Response, which you can check in the Authentication Tracker of a failed login.
You basically need to look for the samlp:StatusCode and/or samlp:StatusMessage tags in the SAML Response (under the samlp:Response tag).
<samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:AuthnFailed\"/> </samlp:StatusCode>
<samlp:StatusMessage>Authentication Failed</samlp:StatusMessage><samlp:StatusMessage>Sorry! you are not authorized</samlp:StatusMessage>
<samlp:StatusDetail>\n<Cause>org.sourceid.saml20.domain.AuthorizationException: Authorization failed (Sorry! you are not authorized)</Cause>\n</samlp:StatusDetail>If (almost) all users of the Atlassian Data Center app are affected
Very often there is a lack of SAML SSO specific information missing on the Identity Provider's Service Provider configurations. In this case, please update your Identity Provider with the newest SAML SSO metadata information (...plugins/servlet/samlsso/metadata).
Here is an example of what you see in the SAML Response in the Authentication Tracker of a failed login:<samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:RequestDenied\"/> </samlp:StatusCode> <samlp:StatusMessage>The AuthnRequest could not be validated</samlp:StatusMessage>CODE- The SAML Request signing can sometimes lead to Responder error messages. Try to turn it off and check if it helps:
- Disable the Sign Authentication Requests checkbox (SAML SSO configurations -> Identity Providers -> Security Settings).
- Switch to the Service Provider settings and disable the Include Signing Certificate in Metadata checkbox (under Signing and encryption).
- Update the SAML SSO Service Provider settings on your Identity Provider with the changed SAML SSO Metadata information (For ADFS: Select the associated Reyling Party -> Update from Federation Metadata... Ensure that after updating, the Signature is correctly removed and now empty: Relying Party properties -> Signature)
Try the Single Sign On again.
Turning off the SAML Request Signing ist not recommended, because it reduces the authentications security. We highly recommend to turn it on again after your tests. If the problem is actually related to the authentication signing, please have a look to your Identity Provider's settings/logs and try to figure out why it's not supporting/accepting signed authentication request. For additional help, create a support request in our customer portal and attach your Identity Provider log file to the request: Customer Portal
The NameID Format in the request is not correct. That could be seen in the below message in the SAML Response:
<samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy\"/>\n</samlp:StatusCode>CODEIn that case, please do the following:
- Go to the SAML SSO configuration page
- In the Identity Providers tab, scroll down to the Request settings section
- For NameIdFormat in Request choose NONE
- Save the configuration