Users unable to access Jira after enabling SSO

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Fisheye および Crucible は除く

問題

After enabling SSO on Jira, users cannot login anymore.

診断

  • Errors with the following pattern appear in the atlassian-jira.log files:
AuthenticationFailedException: Received SAML assertion for user XXX, but the user doesn't exist in the product
  • Running the following SQL query at the database which is connected to Jira, : 
SELECT * FROM cwd_user 
WHERE user_name = '<usernamefromerror>'

(warning) Please replace <usernamefromerror> with the username that appears in the exception above.

原因 1

The expected user does not exist on Jira.

ソリューション 1

Make sure to create all users on Jira to be able to login using SSO. If there are many users to be created, you can use the experimental POST /rest/api/2/user API call to bulk create users on Jira.

原因 2

The user exists on Jira, but is not following the expected format from the IdP (e.g. Jira contains the user jdoe, but the IdP expects jdoe@company.com)

ソリューション

Correct the username so it matches what is expected by JIRA. Typically this should be fixed on the IdP's side, making the IdP return the expected user name as the NameId

ソリューション 2

One of the approaches below can be followed in this case:

  • Manually rename the username in Jira's UI
  • Use the experimental PUT /rest/api/2/user API call to bulk rename users on Jira
  • Change the username attribute at the IdP's side, if possible

(warning) The solution below involves the use of a third-party script, therefore it is not officially supported by Atlassian. It was designed by one of our customers which proactively shared his own solution for this problem with us. To make sure that it would work at your Jira environment, please check if the code needs any changing on your side, and also test it in a staging environment first.

  • Use the following script mentioned in the warning above, which is designed to update Jira's username to match their e-mail addresses. This solution can be used if the IdP expects a mail address instead of a regular username.


最終更新日 2021 年 4 月 23 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.