Received SSO request for user --username--, but the user does not exist

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community


Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.

Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

The user tries to log in to Confluence and receives the error - We can't log you in right now, Please contact your administrator:


When we check the logs we can see the following error:

2024-01-01 10:00:00,000 ERROR [https-jsse-nio2-443-exec-1] [impl.web.filter.ErrorHandlingFilter] logException [UUID: egtd562g-4000-8777-8hg8-e3c21hgh209c] Received SSO request for user <username>, but the user does not exist
 -- url: /plugins/servlet/samlconsumer | userName: anonymous | referer: <URL> | traceId: b63488239e5e3d33v
com.atlassian.plugins.authentication.impl.web.usercontext.AuthenticationFailedException: Received SSO request for user <username>, but the user does not exist

Environment

Confluence Data Center

SSO SAML Integration with IDP 

Diagnosis

  1. Verify if Username Mapping is set to the correct field coming from the SSO, usually, ${NameID}, for more details,  you can check SAML single sign-on for Atlassian Data Center applications
  2. Verify that the user format in Your IDP is set to return to the same format that the user is setup in Confluence, sometimes we have the username setup in Confluence as userid but the IDP is sending the email format, userid@domain.com.

  3. If you can't see the user return in the logs, verify the SAML responses from your Browser by following the steps documented in How to view SAML responses in your browser for troubleshooting. You will see a similar SAML assertion response from your IDP for NameID 

    <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">user@mydomain.com></saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="ONELOGIN_f47f48d6-351b-4eaf-bc34-f43d55f656c0"
                NotOnOrAfter="2021-09-01T10:43:46.713Z"
                Recipient="https://confluence.mycorp.com/plugins/servlet/samlconsumer"/></saml2:SubjectConfirmation>
        </saml2:Subject>

    (info) In this case, email id <user@mydomain.com> is sent in SAML response to Confluence. Confluence looks for <user@mydomain.com> as the username to process authentication requests.

  4. Get the user id from the Name ID format of the SAML response and verify if Confluence contains the user with a username matching the Name ID field.

Cause


Confluence will look for the username that matches the NameID returned from SAML response. The retuned response should match the username field from Confluence or it will fail.

Solution

Make sure the field set to NameID in the IDP configuration matches the username configured in Confluence. 


Last modified on Sep 3, 2024

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.