...
The client secret for you OIDC integration is expired.
You accidentally copy/pasted in the wrong value. E.g. Microsoft Entra ID /Azure AD offers a secret ID field which is often confused with the client secret itself
SAML
Why do I get the error code SUBJECT_CONFIRMATION_DATA_UNEXPECTED_IN_RESPONSE_TO?
When a user is redirected from an Atlassian Data Center instance to the identity provider for authentication, the redirect includes a unique authentication request ID. When the IDP later returns the user to the Atlassian Data Center, the SAML Response from the IDP must contain an inResponseTo attribute with the same ID. If the addon receives a SAML Response with an unknown responseTo ID, you will see that error message.
It can happen for a number of reasons:
The user spent too long at the IDP, (> 30 minutes) so the ID is no longer recognized by the time the user returns with a SAML Response. The most common cause of this is open browser windows from the previous work day etc.
VPN: if the users are connecting to your Data Center through a saturated VPN, you may
Replay: An ID can only be used once. If a user reloads certain login pages, the same SAML Response can end up being POST’ed again. The ID will have been removed and is no longer usable, generating that error.
Data Center specific: Clustering problems. The ID is stored in a distributed cache (atlassian-cache). This ensures that if the user returns to a different node than the one that initiated login, login can still continue successfully. Usually though, sticky sessions ensure users return to the server they started on.
If you have load balancing problems and cannot achieve sticky sessions, then you may encounter this error. You may also see users experiencing login loops.
Environment
Which Identity Providers do you support?
...