Uploaded image for project: 'Atlassian Guard'
  1. Atlassian Guard
  2. ACCESS-1187

Improve error message for SAML Response - Audience field missing/misconfigured

XMLWordPrintable

    • 2
    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Issue Summary

      When an Identity Provider is sending a SAML Response without the Audience field inside <Conditions> element, we are throwing an error related to another field - the Destination URL:

      "Hmm... we're having trouble logging you in. You'll need to talk to your organization admin - tell them we sent you, and that there appears to be an issue with the destination URL used for your SAML single sign-on configuration."

      Steps to Reproduce

      Make sure that the integrated IdP is missing the Audience configuration is missing, like the one below:

      1. Try to login into id.atlassian.com to see the failure
      2. Get a HAR file of the failed attempt
      3. Check the following error:
      Request URL: https://id.atlassian.com/login/callback?application=jira&continue=https://abc.atlassian.net/login?redirectCount=1&application=jira&error=access_denied&error_description=Audience is invalid. Configured: https://auth.atlassian.com/saml/1256cb51b-40b3-4d12-b984-5f9c4b383f4a&state=eyJjc3JmVG9rZW4iOiIzNzcyZDhkZC1iYmJmLTRjOTQtODk5ZC0yNmY5ODg2ODg2YWMiLCJhbm9ueW1vdXNJZCI6ImUwOGI3NDM4LWZjNTEtNDk5ZS04MzFiLWY3ODc2NDdjOTY1NyIsInF1ZXJ5IjoiP2NvbnRpbnVlPWh0dHBzJTNBJTJGJTJGdW5peGZ5LmF0bGFzc2lhbi5uZXQlMkZsb2dpbiUzRnJlZGlyZWN0Q291bnQlM0QxJTI2YXBwbGljYXRpb24lM0RqaXJhJmFwcGxpY2F0aW9uPWppcmEifQ==
      HTTP Version: http/2.0
      Request method: GET
      
      Full response: HTTP 403 Forbidden

      Expected Results

      The error message should state something like:

      "Looks like your Audience configuration at your Identity Provider SAML configuration is either missing or misconfigured".

      Actual Results

      The following error message is returned:

      "Hmm... we're having trouble logging you in. You'll need to talk to your organization admin - tell them we sent you, and that there appears to be an issue with the destination URL used for your SAML single sign-on configuration."

      Failed <Condition> element:
      <saml:Conditions NotBefore="2021-12-31T00:00:49Z" NotOnOrAfter="2021-12-31T00:10:49Z"/>
      
      -------------------------------------------------------------------------------------------
      Working sample - Microsoft:
      
      <Conditions NotBefore="2022-01-03T13:07:12.759Z" NotOnOrAfter="2022-01-03T14:12:12.759Z">
         <AudienceRestriction>
            <Audience>https://auth.atlassian.com/saml/31b3dbbe-87dd-4dbf-b758-aeef158c72fa</Audience>
         </AudienceRestriction>
      </Conditions>
      
      -------------------------------------------------------------------------------------------
      Working sample - Okta:
      
      <saml2:Conditions NotBefore="2022-01-03T13:44:54.277Z" NotOnOrAfter="2022-01-03T13:54:54.277Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
         <saml2:AudienceRestriction>
            <saml2:Audience>https://auth.atlassian.com/saml/31b3dbbe-87dd-4dbf-b758-aeef158c72fa</saml2:Audience>
         </saml2:AudienceRestriction>
      </saml2:Conditions>
      

      Workaround

      N/A

              Unassigned Unassigned
              5322c3e7fa3c Rafael Fabbri (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: