Uploaded image for project: 'Identity'
  1. Identity
  2. ID-7661

First SAML login attempt fails when ADFS has WAP enabled.

XMLWordPrintable

      Issue Summary

      Configuring SAML SSO with ADFS server, users need to do 2 login attempts because the first one fails with the following error message:
      "We're having trouble logging you in. There seems to be an issue with your identity provider. Wait a few moments, then try again."
      ADFS here is enabled with WAP (Web application proxy). WAP is used for securing ADFS communication, here is best practice documentation on securing ADFS:
      https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs

      Steps to Reproduce

      1. Configure ADFS with WAP for SAML authentication with Atlassian.
      2. Login user.

      Expected Results

      The user should be able to login in on the first attempt.

      Actual Results

      The below exception is thrown in the HAR capture of the user login:

      Request Method: GET Status Code: 403 
Destination endpoint did not match

      Workaround

      Disable WAP and integrate ADFS without WAP. 
      If disabling WAP is not an option, then the only other available option is to exclude the extra parameters from the POST URL of the SAML response so it matches the Atlassian ACS URL exactly.

              maho Matthew Ho (Inactive)
              20d8b956adca Jayant Suneja (Inactive)
              Votes:
              5 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: