SAML - Atlassian as Service Provider returns 'Audience is invalid'

DmitrijB · July 22, 2024, 11:12am

Hello people,

I would like to have Auth0 as Identity Provider and Atlassian as Service Provider.

I use Auth0 development environment and Atlassian trial version. I’ve created Auth0 Single Page Application with SAML2 Web App add on enabled. I also have Atlassian Admin account. And I want to login into Atlassian with Auth0 account.

I was setting up SAML add on and Atlassian’s corresponding section with this Auth0 tutorial.

My Atlassian settings are:
Identity provider Entity ID: urn:<tenant_name>.us.auth0.com
Identity provider SSO URL: https://<tenant-name>.us.auth0.com/samlp/<app_client_id>

When I try to login via Identity Provider Login URL: https://<tenant-name>.us.auth0.com/samlp/<app_client_id> I can login to Auth0, but when I’m redirected to Atlassian, I get it’s login error page with no info. However, in the URL there is error description Audience is invalid..

https://id.atlassian.com/error?error=access_denied&error_description=Audience%20is%20invalid.

Audience is Identity provider Entity ID (in Atlassian) and Issuer (in Auth0)?

Do you have any idea if I set up something wrong or what could be the issue?

Best Regards,
Dmitrij

rueben.tiow · July 22, 2024, 9:32pm

Hi @DmitrijB,

Welcome to the Auth0 Community!

I have checked your application’s SAML2 Web app add-on settings and noticed that you did not specify the audience.

You would need to add the following in your settings:

{
 "audience":  "urn:<tenant_name>.us.auth0.com"
}

Let me know how this goes for you.

Thanks,
Rueben

DmitrijB · July 23, 2024, 7:38am

Hi @rueben.tiow ,

Thank you for a quick reply!

I’ve added audience attribute, however nothing changed.

Audience attribute was missing in the tutorial, maybe there is missing something else? Here is my settings JSON.

{
  "audience": "urn:dev-rqkp0t6lf3ymnahl.us.auth0.com",
  "mappings": {
    "user_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
    "given_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
    "family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
  },
  "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
  ],
  "nameIdentifierFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:email"
}

When I click Debug button, I see debug SAML response and there is audience

    <saml:Conditions NotBefore="2024-07-23T07:33:47.244Z" NotOnOrAfter="2024-07-23T08:33:47.244Z">
      <saml:AudienceRestriction>
        <saml:Audience>urn:dev-rqkp0t6lf3ymnahl.us.auth0.com</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>

urn:dev-rqkp0t6lf3ymnahl.us.auth0.com is my IdP Entity ID, right? And exactly this string should I set in Atlassian SAML configuration? Maybe Atlassian has problem with URN format?

Thanks,
Dmitrij

rueben.tiow · July 23, 2024, 5:08pm

Hi @DmitrijB,

Thanks for the reply.

I have reviewed Atlassian’s doc here and found that the audience should refer to the service provider entity ID from Atlassian.

Could you give that a try?

Thanks,
Rueben

DmitrijB · July 24, 2024, 10:37am

Hi @rueben.tiow,

I’ve changed audience attribute in SAML2 add-on JSON settings to

{
    "audience": "https://auth.atlassian.com/saml/67ed9dad-44c4-40df-984d-353ce2aa5152",
    "mappings": { ... }
}

Now when I go to Identity Provider Login URL I don’t get Audience is invalid, but I have another error:

https://id.atlassian.com/error?error=access_denied&error_description=authentication-policy-strategy-mismatch

Thank you,
Dmitrij

DmitrijB · July 31, 2024, 7:44am

I was in touch with Atlassian support and we were able to resolve this issue.

About authentication-policy-strategy-mismatch error:

Usually we see the below error when SAML SSO is not enforced on the managed user account using authentication policy in Atlassian and user tries to login with IdP initiated SAML SSO or in the SAML response you are passing different user email as NameId on which SAML SSO is not enforced.
To resolve the issue could you please add this managed user Atlassian account to an authentication policy in which SAML SSO is enforced.

However, account could be ‘managed’ only if it belongs into verified domain.

Q. So SSO could use only managed users? Which have to have verified domain? I cannot use @gmail.com emails?
A: Yes, currently the Atlassian cloud does not have a feature to enforce SAML SSO for “external” users (users whose domain is not verified by your organization).

That being said, we are already working on improving security controls for external users, and the following is the corresponding public feature request:

ACCESS-1362 - Enforce SSO for users on unverified domains (external user security).

So I can use Auth0 + Atlassian SSO, but only with emails from verified domains, which is not very useful, if I have external users/customers.

Regards,
Dmitrij

rueben.tiow · July 31, 2024, 8:03pm

Hi @DmitrijB,

Thanks for getting back.

I’m glad to hear that you were able to resolve the issue.

Let us know if you have any additional questions.

Thanks,
Rueben

system · August 14, 2024, 8:04pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.