-
Suggestion
-
Resolution: Timed out
-
2
-
Issue Summary
When an Identity Provider is sending a SAML Response without the Audience field inside <Conditions> element, we are throwing an error related to another field - the Destination URL:
"Hmm... we're having trouble logging you in. You'll need to talk to your organization admin - tell them we sent you, and that there appears to be an issue with the destination URL used for your SAML single sign-on configuration."
Steps to Reproduce
Make sure that the integrated IdP is missing the Audience configuration is missing, like the one below:
- Try to login into id.atlassian.com to see the failure
- Get a HAR file of the failed attempt
- Check the following error:
- error=access_denied &
- error_description=Audience is invalid. Configured: https://auth.atlassian.com/saml/1256cb51b-40b3-4d12-b984-5f9c4b383f4a
Request URL: https://id.atlassian.com/login/callback?application=jira&continue=https://abc.atlassian.net/login?redirectCount=1&application=jira&error=access_denied&error_description=Audience is invalid. Configured: https://auth.atlassian.com/saml/1256cb51b-40b3-4d12-b984-5f9c4b383f4a&state=eyJjc3JmVG9rZW4iOiIzNzcyZDhkZC1iYmJmLTRjOTQtODk5ZC0yNmY5ODg2ODg2YWMiLCJhbm9ueW1vdXNJZCI6ImUwOGI3NDM4LWZjNTEtNDk5ZS04MzFiLWY3ODc2NDdjOTY1NyIsInF1ZXJ5IjoiP2NvbnRpbnVlPWh0dHBzJTNBJTJGJTJGdW5peGZ5LmF0bGFzc2lhbi5uZXQlMkZsb2dpbiUzRnJlZGlyZWN0Q291bnQlM0QxJTI2YXBwbGljYXRpb24lM0RqaXJhJmFwcGxpY2F0aW9uPWppcmEifQ==
HTTP Version: http/2.0
Request method: GET
Full response: HTTP 403 Forbidden
Expected Results
The error message should state something like:
"Looks like your Audience configuration at your Identity Provider SAML configuration is either missing or misconfigured".
Actual Results
The following error message is returned:
"Hmm... we're having trouble logging you in. You'll need to talk to your organization admin - tell them we sent you, and that there appears to be an issue with the destination URL used for your SAML single sign-on configuration."
Failed <Condition> element: <saml:Conditions NotBefore="2021-12-31T00:00:49Z" NotOnOrAfter="2021-12-31T00:10:49Z"/> ------------------------------------------------------------------------------------------- Working sample - Microsoft: <Conditions NotBefore="2022-01-03T13:07:12.759Z" NotOnOrAfter="2022-01-03T14:12:12.759Z"> <AudienceRestriction> <Audience>https://auth.atlassian.com/saml/31b3dbbe-87dd-4dbf-b758-aeef158c72fa</Audience> </AudienceRestriction> </Conditions> ------------------------------------------------------------------------------------------- Working sample - Okta: <saml2:Conditions NotBefore="2022-01-03T13:44:54.277Z" NotOnOrAfter="2022-01-03T13:54:54.277Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:AudienceRestriction> <saml2:Audience>https://auth.atlassian.com/saml/31b3dbbe-87dd-4dbf-b758-aeef158c72fa</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions>
Workaround
N/A
[ACCESS-1187] Improve error message for SAML Response - Audience field missing/misconfigured
I'm affected by this issue. While I was able to resolve the problem after intervention by Atlassian Support, it took several days to resolve. Implementing this improved error message would reduce support workload and enable future customers who experience this issue to easily resolve it themselves.
Hi everyone,
Thank you for raising and following this suggestion. Because there has been no user engagement (votes, watches, comments) over the last year, we have no plans to implement this in the foreseeable future. In order to set expectations, we're closing this request to focus on our upcoming roadmap.
If you still feel that this feature significantly impacts your team, please let us know on the ticket. Thanks again for continuing to provide valuable feedback to our team.
Regards,
The Atlassian Access PM team