Improve error message for SAML Response - Audience field missing/misconfigured

XMLWordPrintable

    • 2

      Issue Summary

      When an Identity Provider is sending a SAML Response without the Audience field inside <Conditions> element, we are throwing an error related to another field - the Destination URL:

      "Hmm... we're having trouble logging you in. You'll need to talk to your organization admin - tell them we sent you, and that there appears to be an issue with the destination URL used for your SAML single sign-on configuration."

      Steps to Reproduce

      Make sure that the integrated IdP is missing the Audience configuration is missing, like the one below:

      1. Try to login into id.atlassian.com to see the failure
      2. Get a HAR file of the failed attempt
      3. Check the following error: 
      Request URL: https://id.atlassian.com/login/callback?application=jira&continue=https://abc.atlassian.net/login?redirectCount=1&application=jira&error=access_denied&error_description=Audience is invalid. Configured: https://auth.atlassian.com/saml/1256cb51b-40b3-4d12-b984-5f9c4b383f4a&state=eyJjc3JmVG9rZW4iOiIzNzcyZDhkZC1iYmJmLTRjOTQtODk5ZC0yNmY5ODg2ODg2YWMiLCJhbm9ueW1vdXNJZCI6ImUwOGI3NDM4LWZjNTEtNDk5ZS04MzFiLWY3ODc2NDdjOTY1NyIsInF1ZXJ5IjoiP2NvbnRpbnVlPWh0dHBzJTNBJTJGJTJGdW5peGZ5LmF0bGFzc2lhbi5uZXQlMkZsb2dpbiUzRnJlZGlyZWN0Q291bnQlM0QxJTI2YXBwbGljYXRpb24lM0RqaXJhJmFwcGxpY2F0aW9uPWppcmEifQ==
HTTP Version: http/2.0
Request method: GET

Full response: HTTP 403 Forbidden

      Expected Results

      The error message should state something like:

      "Looks like your Audience configuration at your Identity Provider SAML configuration is either missing or misconfigured".

      Actual Results

      The following error message is returned:

      "Hmm... we're having trouble logging you in. You'll need to talk to your organization admin - tell them we sent you, and that there appears to be an issue with the destination URL used for your SAML single sign-on configuration."

      Failed <Condition> element:
<saml:Conditions NotBefore="2021-12-31T00:00:49Z" NotOnOrAfter="2021-12-31T00:10:49Z"/>

-------------------------------------------------------------------------------------------
Working sample - Microsoft:

<Conditions NotBefore="2022-01-03T13:07:12.759Z" NotOnOrAfter="2022-01-03T14:12:12.759Z">
   <AudienceRestriction>
      <Audience>https://auth.atlassian.com/saml/31b3dbbe-87dd-4dbf-b758-aeef158c72fa</Audience>
   </AudienceRestriction>
</Conditions>

-------------------------------------------------------------------------------------------
Working sample - Okta:

<saml2:Conditions NotBefore="2022-01-03T13:44:54.277Z" NotOnOrAfter="2022-01-03T13:54:54.277Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
   <saml2:AudienceRestriction>
      <saml2:Audience>https://auth.atlassian.com/saml/31b3dbbe-87dd-4dbf-b758-aeef158c72fa</saml2:Audience>
   </saml2:AudienceRestriction>
</saml2:Conditions>

      Workaround

      N/A

        1. image-2022-01-03-15-51-36-497.png
          363 kB
          Rafael Fabbri
        2. image-2022-01-03-15-55-05-938.png
          1.10 MB
          Rafael Fabbri

            Assignee:
            Unassigned
            Reporter:
            Rafael Fabbri (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: