Important Update Effective February 1, 2024!
Due to recent changes in Jira and Confluence, we've made the tough decision to discontinue the OpenID Connect (OIDC)/OAuth app and no longer provide new versions for the newest Jira/Confluence releases as of January 31, 2024.
This is due to some necessary components no longer shipping with Jira/Confluence, which would require some extensive rewrites of the OIDC App.
Important Update! This app will be discontinued soon!
Due to recent changes in Jira, which no longer ships with some components required for our Read Receipts app to run, we've made the tough decision to discontinue the app, as of Februar 5, 2025.
Important Update! This app will be discontinued soon!
We've made the tough business decision to discontinue the app, as of January 11, 2025.
Error: Reading SAMLResponse failed: <Audience URI> is not a valid audience for this Response
Problem
After upgrading to SAML Single Sign-On version 6.x a user receives an error on the application side after authenticating with the Identity Provider.
The application logs show the following message.
/plugins/servlet/samlsso [c.o.saml2.authn.SamlResponse] <Audience URI> is not a valid audience for this ResponseThis error means that the Audience in the SAML response sent by the Identity Provider does not match with the Entity-ID configured in the plugin. By default, the Entity-ID of the service provider in the plugin configuration is <Base-URL>/plugins/servlet/samlsso but this is configurable in the Service Provider configuration tab.
The plugin will only accept the SAML response when the Audience matches the Entity-ID.
Solution
In order to fix this problem, you need to correct your configuration on the Identity Provider side. In most Identity Providers the field where you define the Audience is called Identifier (Entity ID) or Audience URI (SP Entity ID).
Background
What is the Audience Restriction?
Audience Restriction defines a value within the SAML assertion that specifies who (and only who) the assertion is intended for. The "audience" will be the service provider and is typically a URL but can technically be formatted as any string of data.
Why did this problem not come up in earlier versions of the plugin?
Prior to version 6, our plugin did not check the Audience that is sent in the SAML response. Since version 6, we use other SAML libraries that better implement the SAML standard, and this Audience URI is now checked.
How can I check what Audience is sent by the IdP?
The <Audience URI> in the error message tells you what has been configured on the Identity Provider side.
Where can I find the expected Audience value in the SAML plugin?
In our SAML Single Sign-On plugin configuration, you find the "Show IdP Information" button at the top right side. Here you need to look for the Entity-ID which is by default <Base-URL>/plugins/servlet/samlsso.
