When bypassing Datacenter SAML SSO, Jira redirects invalid login to SSO login, Captcha not displayed

Issue Summary

When Jira Datacenter is configured with SAML SSO integration, and with auth_fallback enabled as per the KB: Bypass SAML authentication for Jira Data Center, if a user tries to login using <JIRA_BASE_URL>/login.jsp?auth_fallback and specifies a wrong credentials, instead of showing an invalid credential message and/or ask to enter Captcha for security validation, the user is taken to SSO login page.

A similar scenario was found when a user tries to login (the user is already marked as requiring captcha due to multiple previous login failures) and then the captcha challenge is not shown, the user is re-directed to the SSO login page and finally the user is able to login with the correct credentials without going through the captcha challenge.

Steps to Reproduce

1. Installed Jira Datacenter, tested on Jira 8.4.1.
2. Integrate Jira with a SAML SSO provider (Tested with Keycloak).
3. Configure SAML as primary authentication from SAML SSO configuration page in Jira
4. Create a Jira internal user and set the password.
5. Try to login using the URL <JIRA_BASE_URL>/login.jsp?auth_fallback, and specify a wrong set credentials.

Expected Results

Jira should display an invalid credentials message or render a Captcha if the number of failed attempts satisfy the jira.maximum.authentication.attempts.allowed property.

Actual Results

Jira redirects the user to the SSO login page.
The user is not informed that his credentials are wrong.
If Captcha is to be used, the Captcha screen is not presented to the user:
The below messages can be seen in the security log file:

2020-07-07 11:33:02,870 https-jsse-nio-3841-exec-22 anonymous 693x2178x1 1a7euu7 0:0:0:0:0:0:0:1 /login.jsp login : 'jadmin' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
2020-07-07 11:33:02,879 https-jsse-nio-3841-exec-22 anonymous 693x2178x1 1a7euu7 0:0:0:0:0:0:0:1 /login.jsp The user 'jadmin' has FAILED authentication.  Failure count equals 1
2020-07-07 11:33:18,268 https-jsse-nio-3841-exec-17 anonymous 693x2199x1 1a7euu7 0:0:0:0:0:0:0:1 /login.jsp login : 'jadmin' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
2020-07-07 11:33:18,274 https-jsse-nio-3841-exec-17 anonymous 693x2199x1 1a7euu7 0:0:0:0:0:0:0:1 /login.jsp The user 'jadmin' has FAILED authentication.  Failure count equals 2
2020-07-07 11:33:29,730 https-jsse-nio-3841-exec-2 anonymous 693x2219x1 1a7euu7 0:0:0:0:0:0:0:1 /login.jsp login : 'jadmin' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
2020-07-07 11:33:29,739 https-jsse-nio-3841-exec-2 anonymous 693x2219x1 1a7euu7 0:0:0:0:0:0:0:1 /login.jsp The user 'jadmin' has FAILED authentication.  Failure count equals 3
2020-07-07 11:33:44,763 https-jsse-nio-3841-exec-21 anonymous 693x2252x1 1a7euu7 0:0:0:0:0:0:0:1 /login.jsp The user 'jadmin' is required to answer a CAPTCHA elevated security check.  Failure count equals 4
2020-07-07 11:34:05,302 https-jsse-nio-3841-exec-9 anonymous 694x2285x1 1a7euu7 0:0:0:0:0:0:0:1 /login.jsp The user 'jadmin' is required to answer a CAPTCHA elevated security check.  Failure count equals 5

From the UI, You can see the redirects:

Workaround

If the user manages to remember the password in the first couple to tries they can click back on the browser and try to login again.
If Jira decides to use Captcha after multiple failed login attempts, Captcha screen is not rendered and there is no way for the user to login on his own.
The user will need to contact the Jira admin to reset the login count and the Captcha screen from Jira user management.