Issue Summary

Jira redirects the users back to the login page when SSO is used with Crowd (when SSOSeraphAuthenticator is enabled in the seraph-config.xml. It works fine when Crowd is not used (when JiraSeraphAuthenticator is enabled.)

This is reproducible on Data Center: Yes

Steps to Reproduce

1. Create a Jira 9.12.4 and Crowd 5.2.3 environment
2. Configure Crowd by adding the Jira application
3. Add Crowd directory in Jira
4. Configure SSO in Jira by using Jira's SSO application
5. Add crowd.properties file under Jira_Install/application-data/WEB-INF/classes
6. Edit seraph-config.properties, enable SSOSeraphAuthenticator and disable JiraSeraphAuthenticator

   <!-- CROWD:START - If enabling Crowd SSO integration uncomment the following SSOSeraphAuthenticator and comment out the JiraSeraphAuthenticator below -->
   <authenticator class="com.atlassian.jira.security.login.SSOSeraphAuthenticator"/> 
       <!-- CROWD:END -->
   
       <!-- CROWD:START - The authenticator below here will need to be commented out for Crowd SSO integration -->
     <!--      <authenticator class="com.atlassian.jira.security.login.JiraSeraphAuthenticator"/> -->
       <!-- CROWD:END -->
   

1. Restart Jira to activate the changes
2. Log in Jira using SSO

Expected Results

Jira should allow users to log in

Actual Results

The login screen comes and the user clicks on the SSO login:

SSO login screen appears successfully:

After the user provides the credentials and clicks on login, they are redirected to the Jira login page again:

The below exception is thrown in the Crowd application log file:

2024-03-13 11:10:51,412 http-nio-8095-exec-16 url: /crowd/rest/usermanagement/1/session ERROR [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] Rejecting authentication without validating password of user 'XXXX' for app 'jira' because authentication without validating password is disabled for this app

Workaround

Enable Allow to generate user tokens option in Crowd.