Summary

SAML SSO integration with JIT (Just In Time) option enabled in Bitbucket Data Center throws the below error when the user tries to login:

In the logs, we see the below errors:

2023-03-29 12:49:12,472 ERROR https-jsse-nio-7990-exec-5 @HGA6LMx769x180350x0 8080k 10.20.30.40,10.16.61.10 "POST /plugins/servlet/samlconsumer HTTP/1.1" c.a.p.a.s.w.f.ErrorHandlingFilter 47e2e66e-2a42-abcd-efgh-ab94dd3c4aq Received SSO request for user xyz, but the user is not permitted to log in

Environment

Bitbucket Data Center 7.17.16
SAML SSO Integration with IDP (Google IDP, Azure AD etc.)

Diagnosis

For "User is not permitted to log in", please verify following points:

1. Get the user id from the Name ID format of the SAML response and verify if Bitbucket contains the user with a username matching the Name ID field.

2. If the user is present in Bitbucket, Does the Group to which user should belong to has been created in Bitbucket (which should be similar to the Group assigned in IDP for Groups or groups attribute)?

3. If the user is part of a Group in Bitbucket as mentioned in step 2, Does Group holds valid permissions?

Cause

This issue occurs when the JIT option is enabled in SAML SSO configuration and the Group which should be created in Bitbucket before the User login to Bitbucket, doesn't have added in the "Global Permission" → "Groups" section in Bitbucket.

Solution

Need to make sure that Group has been added in the Bitbucket → Global Permissions → Group access section and also need to make sure that Group has required permissions.