要約

Users are unable to log in using SSO. This could be happening after an upgrade of Jira

診断

• Users are unable to log in using SSO

• The below error is seen in the logs during log in attempt

  2022-05-12 15:59:12,612+0200 http-nio-8080-exec-22 WARN anonymous 123x4567x8 1a23b4c 10.11.12.13,127.0.0.1 /plugins/servlet/samlconsumer [c.a.p.a.i.web.saml.SamlConsumerServlet] Received an invalid SamlResponse: com.atlassian.plugins.authentication.impl.web.saml.provider.InvalidSamlResponse: Received invalid SAML response: Signature validation failed. SAML Response rejected
  2022-05-12 15:59:12,612+0200 http-nio-8080-exec-22 ERROR anonymous 123x4567x8 1a23b4c 10.11.12.13,127.0.0.1 /plugins/servlet/samlconsumer [c.a.p.a.i.web.filter.ErrorHandlingFilter] Received invalid SAML response: Signature validation failed. SAML Response rejected
  com.atlassian.plugins.authentication.impl.web.saml.provider.InvalidSamlResponse: Received invalid SAML response: Signature validation failed. SAML Response rejected
  	at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.lambda$extractSamlResponse$1(OneloginJavaSamlProvider.java:91)
  	at com.atlassian.plugin.util.ContextClassLoaderSwitchingUtil.runInContext(ContextClassLoaderSwitchingUtil.java:48)
  	at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.extractSamlResponse(OneloginJavaSamlProvider.java:82)
  	at com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:94)
  	...

• This could be happening immediately after upgrade. Before upgrade (or upon roll back), users are able to log in without issues
• Verified that the certificate is correct
• Re-creating the SSO configuration also does not help

原因

Caused by character encoding issue

ソリューション

1. Jira を停止します。

2. Add the 2 properties below as per Setting properties and options on startup

   -Dfile.encoding=UTF-8
   -Djavax.servlet.request.encoding=UTF8

3. Jira を再起動します。