Bug in KSSO version 6.7.0: OIDC Just-in-time provisioning

Bug in KSSO version 6.7.0: OIDC Just-in-time provisioning

Subscribe to our security and critical updates mailing list if you want to receive updates about announcements like this on email.

Date published


Date published



A bug in version Kantega SSO Enterprise version 6.7.0 breaks login when using OIDC and JIT provisioning

Affected apps

Kantega SAML SSO OIDC Kerberos Single Sign-on for Jira
Kantega SAML SSO OIDC Kerberos Single Sign-on for Confluence
Kantega SAML SSO OIDC Kerberos Single Sign-on for Bitbucket
Kantega SAML SSO OIDC Kerberos Single Sign-on for Bamboo

Affected version

Kantega SSO Enterprise version 6.7.0

Affected product feature

Identity Providers > OIDC

We have received reports that a bug has been found in the OpenID Connect login in version 6.7.0. This leads to a broken login when running just-in-time user provisioning. Downgrade is recommended until an update is published.




Because of an error parsing of attributes in the ID token with the new feature in 6.7.0, any non-username attributes like email and groups and other data are exempt from the data that is parsed in the login process, thereby breaking just-in-time user provisioning and group assignments since this data is lost along the way.

This will in some cases lead to a broken login, and users will not be able to log into the respective Atlassian system. So far it seems like this bug only affects installations that are running just-in-time user provisioning in their OIDC setup.

Version 6.7.0. has been withdrawn from the marketplace. Please downgrade to the previous version (6.6.3), and await a patch to be released in version 6.7.1. If you have trouble downgrading or get errors in the manage apps section, please see this process on how to downgrade to a stable version: Downgrading Kantega SSO Enterprise to the previous version

Downloads for previous stable version






Related content