要約

After configuring JIT user provisioning, login fails with an error similar to: "Attribute [jira-software-users] could not be found". 

環境

Jira Data Center with SAML SSO for Jira Data Center applications enabled. 

診断

When attempting to log in after configuring SAML SSO for Jira Data Center, login fails and an error similar to the example below is seen in the atlassian-jira.log file:

2021-08-23 19:00:00,446+0000 http-nio-8080-exec-45 ERROR anonymous - /plugins/servlet/samlconsumer [c.a.p.a.i.web.filter.ErrorHandlingFilter] Attribute [jira-software-users] could not be found
com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.JitException: Attribute [jira-software-users] could not be found
at com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.mapping.SamlUserDataFromIdpMapper.mapGroups(SamlUserDataFromIdpMapper.java:64)
at com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.mapping.SamlUserDataFromIdpMapper.mapUser(SamlUserDataFromIdpMapper.java:36)
at com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:102)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:652)

原因

The JIT provisioning field 'Groups' does not support mapping expressions and requires only the name of an attribute/claim containing a list of group names. In this example, 'jira-software-users' is a value passed for the group attribute from the Identity Provider (IDP) that contains a list of group names. This problem will continue so long as the JIT provisioning field 'Groups' does not contain the correct attribute name. 

ソリューション

Change the JIT provisioning field 'Groups' to the name of the attribute configured on the IDP that contains a list of group names. 

その他の注意事項

SAMLDC-77 - 課題情報を取得中... ステータス

Since groups synchronized to Atlassian applications can be used to assign permissions (project, space, etc), some group names from the IdP might not be easily recognized by users. i.e. Azure AD + JIT.