Received invalid SAML response: A valid SubjectConfirmation was not found on this Response: SubjectConfirmationData doesn't match a valid Recipient

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Fisheye および Crucible は除く



症状

After configuring JIRA Data Center SAML the following error may be observed:

The following appears in the atlassian-jira.log

2018-01-25 23:02:01,537 http-nio-8080-exec-13 ERROR USERABC 1382x101603x4 xxxxxx 10.0.0.10,10.0.1.10 /plugins/servlet/samlconsumer [c.a.p.a.i.web.filter.ErrorHandlingFilter] Received invalid SAML response: A valid SubjectConfirmation was not found on this Response: SubjectConfirmationData doesn't match a valid Recipient
com.atlassian.plugins.authentication.impl.web.saml.provider.InvalidSamlResponse: Received invalid SAML response: A valid SubjectConfirmation was not found on this Response: SubjectConfirmationData doesn't match a valid Recipient
	at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.lambda$extractSamlResponse$1(OneloginJavaSamlProvider.java:72)
	at com.atlassian.plugin.util.ContextClassLoaderSwitchingUtil.runInContext(ContextClassLoaderSwitchingUtil.java:48)
	at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.extractSamlResponse(OneloginJavaSamlProvider.java:63)
	at com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:97)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
	at com.atlassian.plugin.servlet.DelegatingPluginServlet.service(DelegatingPluginServlet.java:37)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
	at com.atlassian.plugin.servlet.ServletModuleContainerServlet.service(ServletModuleContainerServlet.java:45)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
	... 52 filtered
	at com.atlassian.plugins.authentication.impl.web.filter.ErrorHandlingFilter.doFilter(ErrorHandlingFilter.java:83)
	... 3 filtered
	at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21)
	... 58 filtered
	at com.atlassian.jira.security.JiraSecurityFilter.lambda$doFilter$0(JiraSecurityFilter.java:76)
	... 1 filtered
	at com.atlassian.jira.security.JiraSecurityFilter.doFilter(JiraSecurityFilter.java:74)
	... 37 filtered
	at com.atlassian.jira.servermetrics.CorrelationIdPopulatorFilter.doFilter(CorrelationIdPopulatorFilter.java:30)
	... 10 filtered
	at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21)
	... 4 filtered
	at com.atlassian.web.servlet.plugin.LocationCleanerFilter.doFilter(LocationCleanerFilter.java:36)
	... 29 filtered
	at com.atlassian.jira.servermetrics.MetricsCollectorFilter.doFilter(MetricsCollectorFilter.java:25)
	... 27 filtered
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:745)

診断

環境

  • JIRA Data Center with SAML configured

Diagnostic Steps

  • Retrieve the details from How to view a SAML responses in your browser for troubleshooting for SAML Response
  • Verify the Recipient under SubjectConfirmationData, example

    <saml2:SubjectConfirmationData InResponseTo="_88cexxxxx-xx00-4xxd-bxxd-xxxxxxxxx"
                                                   NotOnOrAfter="2016-09-14T13:40:14.351Z"
                                                   Recipient="http://pp:5990/product/plugins/servlet/samlconsumer"/>

原因

This indicates a mismatch between the Recipient of the SubjectConfirmationData section received in the SAML Response with compared to the URL used in Jira and can be caused by either:

  1. A mismatch of the base URL configured in the server.xml cause the same error.
    OR
  2. The wrong connector ("JIRA (On-prem)") is being used on OneLogin side

ソリューション

Ensure the Recipient of the SubjectConfirmationData returned by the SAML response matches.

Resolution for Cause 1
  • The base URL used in Jira and the server.xml under the proxyName parameter are matching.
Resolution for Cause 2
  • Use the "SAML Test Connector (Advanced)" at OneLogin to configure the integration


最終更新日 2021 年 4 月 5 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.