Azure users unable to log in when integrated with Confluence Data Center via SSO 2.0
プラットフォームについて: Data Center のみ - この記事は、Data Center プラットフォームのアトラシアン製品にのみ適用されます。
この KB は Data Center バージョンの製品用に作成されています。Data Center 固有ではない機能の Data Center KB は、製品のサーバー バージョンでも動作する可能性はありますが、テストは行われていません。サーバー*製品のサポートは 2024 年 2 月 15 日に終了しました。サーバー製品を利用している場合は、アトラシアンのサーバー製品のサポート終了のお知らせページにて移行オプションをご確認ください。
*Fisheye および Crucible は除く
要約
After following KB How to integrate Confluence Data Center with Azure for SAML 2.0 SSO, Azure users receive a generic "We can't log you in right now" error message when trying to log into Confluence.
環境
- Azure Active Directory
- SSO for Atlassian Server and Data CenterData Center SSO 2.0 plugin
診断
For a given user encountering this situation while logging in, the following error appears in the application logs:
2021-12-22 19:01:27,386 ERROR [http-nio-8080-exec-5] [impl.web.filter.ErrorHandlingFilter] logException [UUID: 79a91343-3bf8-4cfb-a562-022612ebe316] Attribute [http://schemas.microsoft.com/ws/2008/06/identity/claims/groups] could not be found
-- referer: https://login.microsoftonline.com/ | url: /plugins/servlet/samlconsumer | traceId: e905ee736246ea42 | userName: anonymous
com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.JitException: Attribute [http://schemas.microsoft.com/ws/2008/06/identity/claims/groups] could not be found
at com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.mapping.SamlUserDataFromIdpMapper.mapGroups(SamlUserDataFromIdpMapper.java:56)
at com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.mapping.SamlUserDataFromIdpMapper.mapUser(SamlUserDataFromIdpMapper.java:28)
at com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:105)
Investigate the SAML attributes being sent to Confluence by using a tool such as SAML Chrome Panel. Normally, the SAML reply will contain the following attribute along with a list of groups:
<Attribute Name=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/groups\"><AttributeValue>
Instead of this particular attribute, however, you note that the following attribute is present for the user:
<Attribute Name=\"http://schemas.microsoft.com/claims/groups.link\"><AttributeValue>
原因
Based on Microsoft's SAML token claims reference, the groups.link attribute is a Group Overage Indicator indicating that the number of groups associated with the user exceeded a limit of 150.
As a result, this scenario has been documented in the following bug:
ソリューション
As a possible workaround, consider adding the user ID to an application only group and reconfiguring each user's group claim to application access only (ie. User.Groups[ApplicationGroup]). Also, ensure that this group has appropriate global permissions within the Atlassian application.