The Assertion of the Response is not signed and the SP requires it
問題
When logging in with SAML for Data Center you can't authenticate and receive the following error in the atlassian-bitbucket.log.
2017-09-21 12:26:11,880 ERROR [http-nio-7990-exec-2] @1MAHJEQx746x27x0 16nwgem 172.18.0.1,172.18.0.3 "POST /plugins/servlet/samlconsumer HTTP/1.1" c.a.p.a.i.w.f.ErrorHandlingFilter Received invalid SAML response: The Assertion of the Response is not signed and the SP requires it
com.atlassian.plugins.authentication.impl.web.saml.provider.InvalidSamlResponse: Received invalid SAML response: The Assertion of the Response is not signed and the SP requires it
at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.lambda$extractSamlResponse$1(OneloginJavaSamlProvider.java:89)
at com.atlassian.plugin.util.ContextClassLoaderSwitchingUtil.runInContext(ContextClassLoaderSwitchingUtil.java:48)
at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.extractSamlResponse(OneloginJavaSamlProvider.java:80)
at com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:87)
at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
at com.atlassian.analytics.client.filter.UniversalAnalyticsFilter.doFilter(UniversalAnalyticsFilter.java:92)
at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:39)
at com.atlassian.plugins.authentication.impl.web.filter.ErrorHandlingFilter.doFilter(ErrorHandlingFilter.java:8
(truncated)
原因
- The IDP signs the Response only, but not the Assertion. Currently Bitbucket requires the Assertion to be signed, so once the issuer check passes, the authentication fails with an error: "The Assertion of the Response is not signed and the SP requires it".
- Trailing whitespace characters for
com.atlassian.plugins.authentication.samlconfig.sso-issuerandcom.atlassian.plugins.authentication.samlconfig.sso-url.
ソリューション
- Configure the SAML identity provider to provide a signed Assertion.There should be a drop down option similar to the below:
- Remove any white spaces in Bitbucket's SAML configuration.
最終更新日 2017 年 11 月 10 日
Powered by Confluence and Scroll Viewport.