Uploaded image for project: 'Atlassian Access'
  1. Atlassian Access
  2. ACCESS-1187

Improve error message for SAML Response - Audience field missing/misconfigured

    XMLWordPrintable

Details

    • 2

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

    Description

      Issue Summary

      When an Identity Provider is sending a SAML Response without the Audience field inside <Conditions> element, we are throwing an error related to another field - the Destination URL:

      "Hmm... we're having trouble logging you in. You'll need to talk to your organization admin - tell them we sent you, and that there appears to be an issue with the destination URL used for your SAML single sign-on configuration."

      Steps to Reproduce

      Make sure that the integrated IdP is missing the Audience configuration is missing, like the one below:

      1. Try to login into id.atlassian.com to see the failure
      2. Get a HAR file of the failed attempt
      3. Check the following error: 
      Request URL: https://id.atlassian.com/login/callback?application=jira&continue=https://abc.atlassian.net/login?redirectCount=1&application=jira&error=access_denied&error_description=Audience is invalid. Configured: https://auth.atlassian.com/saml/1256cb51b-40b3-4d12-b984-5f9c4b383f4a&state=eyJjc3JmVG9rZW4iOiIzNzcyZDhkZC1iYmJmLTRjOTQtODk5ZC0yNmY5ODg2ODg2YWMiLCJhbm9ueW1vdXNJZCI6ImUwOGI3NDM4LWZjNTEtNDk5ZS04MzFiLWY3ODc2NDdjOTY1NyIsInF1ZXJ5IjoiP2NvbnRpbnVlPWh0dHBzJTNBJTJGJTJGdW5peGZ5LmF0bGFzc2lhbi5uZXQlMkZsb2dpbiUzRnJlZGlyZWN0Q291bnQlM0QxJTI2YXBwbGljYXRpb24lM0RqaXJhJmFwcGxpY2F0aW9uPWppcmEifQ==
HTTP Version: http/2.0
Request method: GET

Full response: HTTP 403 Forbidden

      Expected Results

      The error message should state something like:

      "Looks like your Audience configuration at your Identity Provider SAML configuration is either missing or misconfigured".

      Actual Results

      The following error message is returned:

      "Hmm... we're having trouble logging you in. You'll need to talk to your organization admin - tell them we sent you, and that there appears to be an issue with the destination URL used for your SAML single sign-on configuration."

      Failed <Condition> element:
<saml:Conditions NotBefore="2021-12-31T00:00:49Z" NotOnOrAfter="2021-12-31T00:10:49Z"/>

-------------------------------------------------------------------------------------------
Working sample - Microsoft:

<Conditions NotBefore="2022-01-03T13:07:12.759Z" NotOnOrAfter="2022-01-03T14:12:12.759Z">
   <AudienceRestriction>
      <Audience>https://auth.atlassian.com/saml/31b3dbbe-87dd-4dbf-b758-aeef158c72fa</Audience>
   </AudienceRestriction>
</Conditions>

-------------------------------------------------------------------------------------------
Working sample - Okta:

<saml2:Conditions NotBefore="2022-01-03T13:44:54.277Z" NotOnOrAfter="2022-01-03T13:54:54.277Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
   <saml2:AudienceRestriction>
      <saml2:Audience>https://auth.atlassian.com/saml/31b3dbbe-87dd-4dbf-b758-aeef158c72fa</saml2:Audience>
   </saml2:AudienceRestriction>
</saml2:Conditions>

      Workaround

      N/A

      Attachments

        Activity

          People

            Unassigned Unassigned
            5322c3e7fa3c Rafael Fabbri (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: