要約

After manually updating Atlassian's SSO for Atlassian Server and Data Center plugin to version 4.0+, or upgrading Jira from version 8.6.x/earlier, to 8.7+, users are no longer able to log in using SAML/OIDC, and the following errors can be found on the atlassian-jira.log:

2021-05-13 11:30:54,145-0400 https-jsse-nio-8443-exec-18 ERROR anonymous 690x11x1 xxxxxxx xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx /plugins/servlet/samlconsumer [c.a.p.a.i.web.filter.ErrorHandlingFilter] Received SSO request for user xxxxxx, but the user does not exist
com.atlassian.plugins.authentication.impl.web.usercontext.AuthenticationFailedException: Received SSO request for user xxxxxx, but the user does not exist

2020-07-20 15:53:01,400+0000 http-nio-8080-exec-117 ERROR anonymous 953x39481x1 xxxxxxx .xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx /plugins/servlet/oidc/callback [c.a.p.a.i.web.filter.ErrorHandlingFilter] Received SSO request for user preferred_username, but the user does not exist
com.atlassian.plugins.authentication.impl.web.usercontext.AuthenticationFailedException: Received SSO request for user preferred_username, but the user does not exist

環境

• Atlassian's SSO for Atlassian Server and Data Center plugin version 4.0.0+.
• Jira 8.7+, which bundles the above by default.

原因

Version 4.0.0 of the Atlassian SSO for Atlassian Server and Data Center plugin, introduced the option to specify a custom username attribute, (version 4.1.0 further built upon it, by adding mapping expressions to the username attribute), which allowed for more flexibility when using Jira with SAML/OIDC.

Incorrect mapping

As a result of this change, in cases where the selected attribute from the IdP is not in the same format as the existing Jira usernames (for example 'jdoe' in Jira vs 'jdoe@company.com' on the IdP), the login process will fail, due to Jira not recognizing the username provided by the IdP as a valid user.

Static username

Similarly, if you are on version 4.1.0+, and you are not using the proper mapping expression syntax '${attribute_name}', Jira will try to use the literal name of the field as seen in the second message example, where 'preferred_username' was being used by Jira as a static username for all users, rather than the value stored by the 'preferred_username' attribute on the IdP side.

診断

Verify which are the usernames being registered on the "Received SSO request for user xxxxxx, but the user does not exist" entries in the atlassian-jira.log.

• If the value added to the logs, is static (ie. the same username, possibly an attribute name, is being used for the login attempts from different users).
• The format of the usernames printed in the logs is different from the ones stored on the user_name column of the cwd_user table in the Jira database (ex: email vs user id).

You can proceed with the Solution steps.

ソリューション

In order to resolve this problem with the Single Sign On login, we need to ensure that the SSO settings have the proper attribute mapped for the Username mapping so that Jira can request the correct Username from the IdP.

Updating the settings through the UI

1. Go to  > System > SSO 2.0 Authentication (or Authentication methods if you have version 4.2.0+ installed).
2. Locate the Username mapping attribute.
3. Check on the IdP side what is the name of the attribute that matches the format expected by Jira to be the user_name information.
    You can double-check the format expected by Jira, with the values stored on the user_name column of the cwd_user table.
4. Update the Username mapping field to the correct attribute using the appropriate format depending on the version of the plugin:
   1. If you have version 4.0.x installed - Use the literal name of the attribute. Example: NameID or preferred_username
   2. If you have version 4.1.0+ installed - Use the mapping expression around the attribute. Example: ${NameID} or ${preferred_username}
5. Save the changes, and test the login.

Updating the settings through the database

This option should only be used as a last resort.
If you don't have access to the UI to perform the steps from the above alternative, you may want to first try Bypass SAML authentication for Jira Data Center.

1. Stop Jira on all of the nodes.

2. Identify the current configuration and property ID with the SQL below:

   SELECT propertyentry.id, propertyentry.property_key, propertystring.propertyvalue
   FROM propertyentry
   JOIN propertystring ON propertyentry.id=propertystring.id
   WHERE property_key = 'com.atlassian.plugins.authentication.sso.config.username-attribute';

3. Check on the IdP side what is the name of the attribute that matches the format expected by Jira to be the user_name information.
    You can double-check the format expected by Jira, with the values stored on the user_name column of the cwd_user table.

4. With the ID and attribute name at hand, you can update the setting directly on the database with the following update statement using the appropriate format depending on the version of the plugin:

   1. If you have version 4.0.x installed - Use the literal name of the attribute. Example: NameID or preferred_username
      

      UPDATE propertystring SET propertyvalue = 'IdP_Username_attribute' WHERE id = 'id_from_step_2';

   2. If you have version 4.1.0+ installed - Use the mapping expression around the attribute. Example: ${NameID} or ${preferred_username}
      

      UPDATE propertystring SET propertyvalue = '${IdP_Username_attribute}' WHERE id = 'id_from_step_2';

5. 必要に応じて変更をコミットします。

6. Start one of the Jira nodes and test the SSO settings.

7. If everything is working well, bring up the remaining nodes.