-
Suggestion
-
Resolution: Timed out
-
2
-
Issue Summary
When an Identity Provider is sending a SAML Response without the Audience field inside <Conditions> element, we are throwing an error related to another field - the Destination URL:
"Hmm... we're having trouble logging you in. You'll need to talk to your organization admin - tell them we sent you, and that there appears to be an issue with the destination URL used for your SAML single sign-on configuration."
Steps to Reproduce
Make sure that the integrated IdP is missing the Audience configuration is missing, like the one below:
- Try to login into id.atlassian.com to see the failure
- Get a HAR file of the failed attempt
- Check the following error:
- error=access_denied &
- error_description=Audience is invalid. Configured: https://auth.atlassian.com/saml/1256cb51b-40b3-4d12-b984-5f9c4b383f4a
Request URL: https://id.atlassian.com/login/callback?application=jira&continue=https://abc.atlassian.net/login?redirectCount=1&application=jira&error=access_denied&error_description=Audience is invalid. Configured: https://auth.atlassian.com/saml/1256cb51b-40b3-4d12-b984-5f9c4b383f4a&state=eyJjc3JmVG9rZW4iOiIzNzcyZDhkZC1iYmJmLTRjOTQtODk5ZC0yNmY5ODg2ODg2YWMiLCJhbm9ueW1vdXNJZCI6ImUwOGI3NDM4LWZjNTEtNDk5ZS04MzFiLWY3ODc2NDdjOTY1NyIsInF1ZXJ5IjoiP2NvbnRpbnVlPWh0dHBzJTNBJTJGJTJGdW5peGZ5LmF0bGFzc2lhbi5uZXQlMkZsb2dpbiUzRnJlZGlyZWN0Q291bnQlM0QxJTI2YXBwbGljYXRpb24lM0RqaXJhJmFwcGxpY2F0aW9uPWppcmEifQ==
HTTP Version: http/2.0
Request method: GET
Full response: HTTP 403 Forbidden
Expected Results
The error message should state something like:
"Looks like your Audience configuration at your Identity Provider SAML configuration is either missing or misconfigured".
Actual Results
The following error message is returned:
"Hmm... we're having trouble logging you in. You'll need to talk to your organization admin - tell them we sent you, and that there appears to be an issue with the destination URL used for your SAML single sign-on configuration."
Failed <Condition> element: <saml:Conditions NotBefore="2021-12-31T00:00:49Z" NotOnOrAfter="2021-12-31T00:10:49Z"/> ------------------------------------------------------------------------------------------- Working sample - Microsoft: <Conditions NotBefore="2022-01-03T13:07:12.759Z" NotOnOrAfter="2022-01-03T14:12:12.759Z"> <AudienceRestriction> <Audience>https://auth.atlassian.com/saml/31b3dbbe-87dd-4dbf-b758-aeef158c72fa</Audience> </AudienceRestriction> </Conditions> ------------------------------------------------------------------------------------------- Working sample - Okta: <saml2:Conditions NotBefore="2022-01-03T13:44:54.277Z" NotOnOrAfter="2022-01-03T13:54:54.277Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:AudienceRestriction> <saml2:Audience>https://auth.atlassian.com/saml/31b3dbbe-87dd-4dbf-b758-aeef158c72fa</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions>
Workaround
N/A
[ACCESS-1187] Improve error message for SAML Response - Audience field missing/misconfigured
| Resolution | New: Timed out [ 10 ] | |
| Status | Original: Gathering Interest [ 11772 ] | New: Closed [ 6 ] |
| Support reference count | Original: 1 | New: 2 |
| Support reference count | New: 1 |
| Labels | New: CD |
| Attachment | Original: image-2022-01-03-13-39-07-840.png [ 414839 ] |
| Description |
Original:
h3. Issue Summary
When an Identity Provider is sending a SAML Response without the *Audience* field inside <{*}Conditions>{*} element, we are throwing an error related to another field - the *Destination* URL: _"Hmm... we're having trouble logging you in. You'll need to talk to your organization admin - tell them we sent you, and that there appears to be an issue with the {color:#ff0000}destination URL{color} used for your SAML single sign-on configuration."_ h3. Steps to Reproduce Make sure that the integrated IdP is missing the *Audience* configuration is missing, like the one below: !image-2022-01-03-15-51-36-497.png|thumbnail! # Try to login into [id.atlassian.com|https://id.atlassian.com/] to see the failure # Get a [HAR file|https://confluence.atlassian.com/kb/generating-har-files-and-analysing-web-requests-720420612.html] of the failed attempt # Check the following error: ** _error=access_denied &_ ** _error_description={color:#de350b}Audience is invalid. Configured: [https://auth.atlassian.com/saml/1256cb51b-40b3-4d12-b984-5f9c4b383f4a]{color}_ {code:java} Request URL: https://id.atlassian.com/login/callback?application=jira&continue=https://abc.atlassian.net/login?redirectCount=1&application=jira&error=access_denied&error_description=Audience is invalid. Configured: https://auth.atlassian.com/saml/1256cb51b-40b3-4d12-b984-5f9c4b383f4a&state=eyJjc3JmVG9rZW4iOiIzNzcyZDhkZC1iYmJmLTRjOTQtODk5ZC0yNmY5ODg2ODg2YWMiLCJhbm9ueW1vdXNJZCI6ImUwOGI3NDM4LWZjNTEtNDk5ZS04MzFiLWY3ODc2NDdjOTY1NyIsInF1ZXJ5IjoiP2NvbnRpbnVlPWh0dHBzJTNBJTJGJTJGdW5peGZ5LmF0bGFzc2lhbi5uZXQlMkZsb2dpbiUzRnJlZGlyZWN0Q291bnQlM0QxJTI2YXBwbGljYXRpb24lM0RqaXJhJmFwcGxpY2F0aW9uPWppcmEifQ== HTTP Version: http/2.0 Request method: GET Full response: HTTP 403 Forbidden{code} h3. Expected Results The error message should state something like: _"Looks like your Audience configuration at your Identity Provider SAML configuration is either missing or misconfigured"._ h3. Actual Results The following error message is returned: _"Hmm... we're having trouble logging you in. You'll need to talk to your organization admin - tell them we sent you, and that there appears to be an issue with the {color:#ff0000}destination URL{color} used for your SAML single sign-on configuration."_ {code:xml} Failed <Condition> element: <saml:Conditions NotBefore="2021-12-31T00:00:49Z" NotOnOrAfter="2021-12-31T00:10:49Z"/> ------------------------------------------------------------------------------------------- Working sample - Microsoft: <Conditions NotBefore="2022-01-03T13:07:12.759Z" NotOnOrAfter="2022-01-03T14:12:12.759Z"> <AudienceRestriction> <Audience>https://auth.atlassian.com/saml/31b3dbbe-87dd-4dbf-b758-aeef158c72fa</Audience> </AudienceRestriction> </Conditions> ------------------------------------------------------------------------------------------- Working sample - Okta: <saml2:Conditions NotBefore="2022-01-03T13:44:54.277Z" NotOnOrAfter="2022-01-03T13:54:54.277Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:AudienceRestriction> <saml2:Audience>https://auth.atlassian.com/saml/31b3dbbe-87dd-4dbf-b758-aeef158c72fa</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> {code} !image-2022-01-03-13-39-07-840.png|thumbnail! h3. Workaround N/A |
New:
h3. Issue Summary
When an Identity Provider is sending a SAML Response without the *Audience* field inside <{*}Conditions>{*} element, we are throwing an error related to another field - the *Destination* URL: _"Hmm... we're having trouble logging you in. You'll need to talk to your organization admin - tell them we sent you, and that there appears to be an issue with the {color:#ff0000}destination URL{color} used for your SAML single sign-on configuration."_ h3. Steps to Reproduce Make sure that the integrated IdP is missing the *Audience* configuration is missing, like the one below: !image-2022-01-03-15-51-36-497.png|thumbnail! # Try to login into [id.atlassian.com|https://id.atlassian.com/] to see the failure # Get a [HAR file|https://confluence.atlassian.com/kb/generating-har-files-and-analysing-web-requests-720420612.html] of the failed attempt # Check the following error: ** _error=access_denied &_ ** _error_description={color:#de350b}Audience is invalid. Configured: [https://auth.atlassian.com/saml/1256cb51b-40b3-4d12-b984-5f9c4b383f4a]{color}_ {code:java} Request URL: https://id.atlassian.com/login/callback?application=jira&continue=https://abc.atlassian.net/login?redirectCount=1&application=jira&error=access_denied&error_description=Audience is invalid. Configured: https://auth.atlassian.com/saml/1256cb51b-40b3-4d12-b984-5f9c4b383f4a&state=eyJjc3JmVG9rZW4iOiIzNzcyZDhkZC1iYmJmLTRjOTQtODk5ZC0yNmY5ODg2ODg2YWMiLCJhbm9ueW1vdXNJZCI6ImUwOGI3NDM4LWZjNTEtNDk5ZS04MzFiLWY3ODc2NDdjOTY1NyIsInF1ZXJ5IjoiP2NvbnRpbnVlPWh0dHBzJTNBJTJGJTJGdW5peGZ5LmF0bGFzc2lhbi5uZXQlMkZsb2dpbiUzRnJlZGlyZWN0Q291bnQlM0QxJTI2YXBwbGljYXRpb24lM0RqaXJhJmFwcGxpY2F0aW9uPWppcmEifQ== HTTP Version: http/2.0 Request method: GET Full response: HTTP 403 Forbidden{code} h3. Expected Results The error message should state something like: _"Looks like your Audience configuration at your Identity Provider SAML configuration is either missing or misconfigured"._ h3. Actual Results The following error message is returned: _"Hmm... we're having trouble logging you in. You'll need to talk to your organization admin - tell them we sent you, and that there appears to be an issue with the {color:#ff0000}destination URL{color} used for your SAML single sign-on configuration."_ {code:xml} Failed <Condition> element: <saml:Conditions NotBefore="2021-12-31T00:00:49Z" NotOnOrAfter="2021-12-31T00:10:49Z"/> ------------------------------------------------------------------------------------------- Working sample - Microsoft: <Conditions NotBefore="2022-01-03T13:07:12.759Z" NotOnOrAfter="2022-01-03T14:12:12.759Z"> <AudienceRestriction> <Audience>https://auth.atlassian.com/saml/31b3dbbe-87dd-4dbf-b758-aeef158c72fa</Audience> </AudienceRestriction> </Conditions> ------------------------------------------------------------------------------------------- Working sample - Okta: <saml2:Conditions NotBefore="2022-01-03T13:44:54.277Z" NotOnOrAfter="2022-01-03T13:54:54.277Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:AudienceRestriction> <saml2:Audience>https://auth.atlassian.com/saml/31b3dbbe-87dd-4dbf-b758-aeef158c72fa</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> {code} !image-2022-01-03-15-55-05-938.png|thumbnail! h3. Workaround N/A |
| Attachment | New: image-2022-01-03-15-55-05-938.png [ 414841 ] |
| Attachment | Original: image-2022-01-03-13-42-42-117.png [ 414838 ] |
| Description |
Original:
h3. Issue Summary
When an Identity Provider is sending a SAML Response without the *Audience* field inside <{*}Conditions>{*} element, we are throwing an error related to another field - the *Destination* URL: _"Hmm... we're having trouble logging you in. You'll need to talk to your organization admin - tell them we sent you, and that there appears to be an issue with the {color:#ff0000}destination URL{color} used for your SAML single sign-on configuration."_ h3. Steps to Reproduce Make sure that the integrated IdP is missing the *Audience* configuration is missing, like the one below: !image-2022-01-03-13-42-42-117.png|width=185,height=95! # Try to login into [id.atlassian.com|https://id.atlassian.com/] to see the failure # Get a [HAR file|https://confluence.atlassian.com/kb/generating-har-files-and-analysing-web-requests-720420612.html] of the failed attempt # Check the following error: ** _error=access_denied &_ ** _error_description={color:#de350b}Audience is invalid. Configured: [https://auth.atlassian.com/saml/1256cb51b-40b3-4d12-b984-5f9c4b383f4a]{color}_ {code:java} Request URL: https://id.atlassian.com/login/callback?application=jira&continue=https://abc.atlassian.net/login?redirectCount=1&application=jira&error=access_denied&error_description=Audience is invalid. Configured: https://auth.atlassian.com/saml/1256cb51b-40b3-4d12-b984-5f9c4b383f4a&state=eyJjc3JmVG9rZW4iOiIzNzcyZDhkZC1iYmJmLTRjOTQtODk5ZC0yNmY5ODg2ODg2YWMiLCJhbm9ueW1vdXNJZCI6ImUwOGI3NDM4LWZjNTEtNDk5ZS04MzFiLWY3ODc2NDdjOTY1NyIsInF1ZXJ5IjoiP2NvbnRpbnVlPWh0dHBzJTNBJTJGJTJGdW5peGZ5LmF0bGFzc2lhbi5uZXQlMkZsb2dpbiUzRnJlZGlyZWN0Q291bnQlM0QxJTI2YXBwbGljYXRpb24lM0RqaXJhJmFwcGxpY2F0aW9uPWppcmEifQ== HTTP Version: http/2.0 Request method: GET Full response: HTTP 403 Forbidden{code} h3. Expected Results The error message should state something like: _"Looks like your Audience configuration at your Identity Provider SAML configuration is either missing or misconfigured"._ h3. Actual Results The following error message is returned: _"Hmm... we're having trouble logging you in. You'll need to talk to your organization admin - tell them we sent you, and that there appears to be an issue with the {color:#ff0000}destination URL{color} used for your SAML single sign-on configuration."_ {code:xml} Failed <Condition> element: <saml:Conditions NotBefore="2021-12-31T00:00:49Z" NotOnOrAfter="2021-12-31T00:10:49Z"/> ------------------------------------------------------------------------------------------- Working sample - Microsoft: <Conditions NotBefore="2022-01-03T13:07:12.759Z" NotOnOrAfter="2022-01-03T14:12:12.759Z"> <AudienceRestriction> <Audience>https://auth.atlassian.com/saml/31b3dbbe-87dd-4dbf-b758-aeef158c72fa</Audience> </AudienceRestriction> </Conditions> ------------------------------------------------------------------------------------------- Working sample - Okta: <saml2:Conditions NotBefore="2022-01-03T13:44:54.277Z" NotOnOrAfter="2022-01-03T13:54:54.277Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:AudienceRestriction> <saml2:Audience>https://auth.atlassian.com/saml/31b3dbbe-87dd-4dbf-b758-aeef158c72fa</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> {code} !image-2022-01-03-13-39-07-840.png|thumbnail! h3. Workaround N/A |
New:
h3. Issue Summary
When an Identity Provider is sending a SAML Response without the *Audience* field inside <{*}Conditions>{*} element, we are throwing an error related to another field - the *Destination* URL: _"Hmm... we're having trouble logging you in. You'll need to talk to your organization admin - tell them we sent you, and that there appears to be an issue with the {color:#ff0000}destination URL{color} used for your SAML single sign-on configuration."_ h3. Steps to Reproduce Make sure that the integrated IdP is missing the *Audience* configuration is missing, like the one below: !image-2022-01-03-15-51-36-497.png|thumbnail! # Try to login into [id.atlassian.com|https://id.atlassian.com/] to see the failure # Get a [HAR file|https://confluence.atlassian.com/kb/generating-har-files-and-analysing-web-requests-720420612.html] of the failed attempt # Check the following error: ** _error=access_denied &_ ** _error_description={color:#de350b}Audience is invalid. Configured: [https://auth.atlassian.com/saml/1256cb51b-40b3-4d12-b984-5f9c4b383f4a]{color}_ {code:java} Request URL: https://id.atlassian.com/login/callback?application=jira&continue=https://abc.atlassian.net/login?redirectCount=1&application=jira&error=access_denied&error_description=Audience is invalid. Configured: https://auth.atlassian.com/saml/1256cb51b-40b3-4d12-b984-5f9c4b383f4a&state=eyJjc3JmVG9rZW4iOiIzNzcyZDhkZC1iYmJmLTRjOTQtODk5ZC0yNmY5ODg2ODg2YWMiLCJhbm9ueW1vdXNJZCI6ImUwOGI3NDM4LWZjNTEtNDk5ZS04MzFiLWY3ODc2NDdjOTY1NyIsInF1ZXJ5IjoiP2NvbnRpbnVlPWh0dHBzJTNBJTJGJTJGdW5peGZ5LmF0bGFzc2lhbi5uZXQlMkZsb2dpbiUzRnJlZGlyZWN0Q291bnQlM0QxJTI2YXBwbGljYXRpb24lM0RqaXJhJmFwcGxpY2F0aW9uPWppcmEifQ== HTTP Version: http/2.0 Request method: GET Full response: HTTP 403 Forbidden{code} h3. Expected Results The error message should state something like: _"Looks like your Audience configuration at your Identity Provider SAML configuration is either missing or misconfigured"._ h3. Actual Results The following error message is returned: _"Hmm... we're having trouble logging you in. You'll need to talk to your organization admin - tell them we sent you, and that there appears to be an issue with the {color:#ff0000}destination URL{color} used for your SAML single sign-on configuration."_ {code:xml} Failed <Condition> element: <saml:Conditions NotBefore="2021-12-31T00:00:49Z" NotOnOrAfter="2021-12-31T00:10:49Z"/> ------------------------------------------------------------------------------------------- Working sample - Microsoft: <Conditions NotBefore="2022-01-03T13:07:12.759Z" NotOnOrAfter="2022-01-03T14:12:12.759Z"> <AudienceRestriction> <Audience>https://auth.atlassian.com/saml/31b3dbbe-87dd-4dbf-b758-aeef158c72fa</Audience> </AudienceRestriction> </Conditions> ------------------------------------------------------------------------------------------- Working sample - Okta: <saml2:Conditions NotBefore="2022-01-03T13:44:54.277Z" NotOnOrAfter="2022-01-03T13:54:54.277Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:AudienceRestriction> <saml2:Audience>https://auth.atlassian.com/saml/31b3dbbe-87dd-4dbf-b758-aeef158c72fa</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> {code} !image-2022-01-03-13-39-07-840.png|thumbnail! h3. Workaround N/A |
| Attachment | New: image-2022-01-03-15-51-36-497.png [ 414840 ] |