Uploaded image for project: 'SAML for Atlassian Data Center'
  1. SAML for Atlassian Data Center
  2. SAMLDC-104

Disabled JIT users in Jira get attributes updates after successful auth at IDP

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Low Low
    • None
    • 4.1.11
    • SSO

      Issue Summary

      For any JIT user, when they are disabled in Jira, if the authentication is successful (at IDP), the attributes will be updated, in Jira, after authentication and they will not be allowed to login

      Steps to Reproduce

      1. Setup SSO with SAML in Jira.
      2. Enable JIT.
      3. Login with a user account which does not exist in Jira.
      4. Once the user is created in Jira internal directory, disable it.
      5. Make changes to one of attribute for the user account in LDAP, say FirstName or Email.
      6. Login to Jira using this disabled account. 
      7. Jira will block access of the user, however, the updated attribute from LDAP will be synced in Jira.

      Expected Results

      A disabled user should not get updated. 

      Actual Results

      Jira will block access of the user, however, the updated attribute from LDAP will be synced in Jira

      The below exception is thrown in the atlassian-jira.log file:

      2021-12-17 14:46:20,094+0530 https-jsse-nio-8851-exec-4 ERROR anonymous 886x1240x1 1dqukzq 0:0:0:0:0:0:0:1 /plugins/servlet/samlconsumer [c.a.p.a.i.web.filter.ErrorHandlingFilter] Received SSO request for user jituser@dsidhpura.lab, but the user does not exist
com.atlassian.plugins.authentication.impl.web.usercontext.AuthenticationFailedException: Received SSO request for user jituser@dsidhpura.lab, but the user does not exist
    at com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet.lambda$doPost$0(SamlConsumerServlet.java:107)
    at java.util.Optional.orElseThrow(Optional.java:290)
    at com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:107)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:652)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
    at com.atlassian.plugin.servlet.DelegatingPluginServlet.service(DelegatingPluginServlet.java:37)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
    at com.atlassian.plugin.servlet.ServletModuleContainerServlet.service(ServletModuleContainerServlet.java:46)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
    ... 48 filtered
    at com.atlassian.jira.plugin.mobile.web.filter.MobileAppRequestFilter.doFilter(MobileAppRequestFilter.java:59)
    ... 4 filtered
    at com.atlassian.jira.plugin.mobile.login.MobileLoginSuccessFilter.doFilter(MobileLoginSuccessFilter.java:54)
    ... 3 filtered
    at com.atlassian.diagnostics.internal.platform.monitor.http.HttpRequestMonitoringFilter.doFilter(HttpRequestMonitoringFilter.java:55)
    ... 8 filtered
    at com.atlassian.plugins.authentication.impl.web.filter.ErrorHandlingFilter.doFilterInternal(ErrorHandlingFilter.java:78)
    at com.atlassian.plugins.authentication.impl.web.filter.AbstractJohnsonAwareFilter.doFilter(AbstractJohnsonAwareFilter.java:29)
    ... 3 filtered
    at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21)
    ... 48 filtered
    at com.atlassian.plugins.slack.analytics.SlackAnalyticsFilter.doFilter(SlackAnalyticsFilter.java:35)
    ... 3 filtered
    at com.atlassian.troubleshooting.thready.filter.AbstractThreadNamingFilter.doFilter(AbstractThreadNamingFilter.java:46)
    ... 17 filtered
    at com.atlassian.jira.security.JiraSecurityFilter.lambda$doFilter$0(JiraSecurityFilter.java:66)
    ... 1 filtered
    at com.atlassian.jira.security.JiraSecurityFilter.doFilter(JiraSecurityFilter.java:64)
    ... 36 filtered
    at com.atlassian.jira.servermetrics.CorrelationIdPopulatorFilter.doFilter(CorrelationIdPopulatorFilter.java:30)
    ... 5 filtered
    at com.atlassian.jwt.internal.servlet.JwtAuthFilter.doFilter(JwtAuthFilter.java:37)
    ... 8 filtered
    at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21)
    ... 4 filtered
    at com.atlassian.troubleshooting.thready.filter.AbstractThreadNamingFilter.doFilter(AbstractThreadNamingFilter.java:46)
    ... 3 filtered
    at com.atlassian.web.servlet.plugin.LocationCleanerFilter.doFilter(LocationCleanerFilter.java:36)
    ... 29 filtered
    at com.atlassian.jira.servermetrics.MetricsCollectorFilter.doFilter(MetricsCollectorFilter.java:25)
    ... 25 filtered
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)

      Workaround

      Currently there is no known workaround for this behavior. A workaround will be added here when available

            [SAMLDC-104] Disabled JIT users in Jira get attributes updates after successful auth at IDP

            There are no comments yet on this issue.

              Unassigned Unassigned
              dsidhpura@atlassian.com Deepak Sidhpura
              Affected customers:
              0 This affects my team
              Watchers:
              2 Start watching this issue

                Created:
                Updated: