Problem

We are using Jira/ Confluence/ Bitbucket. At the end of the SAML authentication process a user receives the error message:
Response ID XXX has already been used

The log shows the following message:

/plugins/servlet/samlsso [c.r.a.samlsso.servlet.SamlSsoServlet] SAML Processor threw exception
com.resolution.samlprocessor.SAMLProcessorException: com.resolution.samlprocessor.SAMLProcessorException: com.resolution.samlprocessor.SAMLProcessorException: Response ID XXX has already been used.

Solution

This error is triggered by the response uniqueness security check. It rejects a SAML Response if the response's ID has already been used in the last hour.

To temporarily fix  the issue: Deactivate the security check Enforce response uniqueness in the SAML SSO plugin configurations under Service Provider → Security 

Disabling this check makes the instance vulnerable to replay attacks and should hence not be used other than for workaround purposes,
until the main root cause has been fixed (see below).

To fix the main issue: Check why this user is using the same SAML Response ID multiple times. In the default Single Sign On process, the ID should always be a new one.
Make sure that the Identity Provider and proxy settings are correct, so the SAML Response sent to the instance using SAML Single Sign On is always unique.

You can find the SAML Response ID in the first line of the SAML response:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://jira-baseurl/plugins/servlet/samlsso" ID="_702f7782-de9f-426c-ae0c-84a07695732a" ...

The SAML Response is written to every authentication tracker ( read here: Troubleshooting) or to the Atlassian log file, if DEBUG logging is enabled (Enable detailed logging v2.0.x).