Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
None
-
1
-
Description
Problem Definition
Login attempts fail intermittently in Confluence Mobile App (for iOS and Android) when connected to Confluence DC instances and Oracle SSO as an Identity Provider.
An error in logs show that the inResponseTo attribute not being properly handled:
2020-10-18 12:26:39,701 ERROR [http-nio-8090-exec-311] [onelogin.saml2.authn.SamlResponse] isValid The Response has an InResponseTo attribute: ONELOGIN_1a7be698-21e9-4fb8-ab1a-2fa4bf460914 while no InResponseTo was expected -- referer: https://url.identity.provider.com/fed/v1/user/response/login? | url: /plugins/servlet/samlconsumer | traceId: xxxxxxx | userName: anonymous
Suggested Solution
Better handle the inResponseTo attribute if a value is returned by Oracle SSO (or other Identity Providers
Also include Oracle SSO in the testings and list of Supported Identity Providers as per SAML single sign-on for Atlassian Data Center applications:
Supported Identity Providers
Once you have installed the SAML SSO 2.0, the solution should work with any identity provider implementing the SAML 2.0 Web Browser SSO Profile, using the HTTP POST binding. Alternatively it allows you to delegate authentication to Crowd.
We currently perform tests with the following identity providers (IdP):
- Microsoft Azure Active Directory
- Microsoft Active Directory (using ADFS 3.0)
- Bitium
- Okta
- OneLogin
- PingIdentity
Workaround
Currently there is no workaround for the error, however the issue seems to be intermittent for Oracle SSO.
It might be worth considering Crowd or another Identity Provider if no login attempts are successful.
PS: our users report that the iOS version fails more often than the Android one for the Confluence Mobile App.