Details
-
Bug
-
Status: Resolved (View Workflow)
-
Major
-
Resolution: Not A Defect
-
None
-
Jenkins LTS 1.409.3 with OpenID plugin 1.4
Description
I've configured the OpenID plugin as SSO, attempting to use it with a Google Apps for Business domain, roughly as follows (in config.xml)
+ <securityRealm class="hudson.plugins.openid.OpenIdSsoSecurityRealm">
+ <endpoint>https://www.google.com/accounts/o8/site-xrds?hd=example.com</endpoint>
+ </securityRealm>
When attempting to login, Jenkins correctly re-directs me to the Google Apps page for confirmation, but upon completion, I get a null pointer exception in doFinishLogin.
I can't tell if this is the same as JENKINS-9216.
Attachments
Issue Links
- is duplicated by
-
-
- Resolved
-
-
-
- Resolved
-
Activity
Code changed in jenkins
User: Jesse Glick
Path:
src/main/java/hudson/plugins/openid/OpenIdSsoSecurityRealm.java
http://jenkins-ci.org/commit/openid-plugin/67c3d2d2109e8b815ede6768fb739389e66d7657
Log:
JENKINS-11746 At least fail with a descriptive error message, reused from 3686396.
This is normally the result of host name mismatch — you access the login page under one host name, then OpenID server redirecting you back to Jenkins on another host name.
As far as the browser is concerned, those two host names are two different sites, not session cookies get sent, and Jenkins fails to find it.
Check your Jenkins URL configuration.
Tom Clift
added a comment - An error message asking to check configuration would be a good addition.
Alternatively, would there be any ill effects to automatically redirect users from a non-canonical URLs to the canonical URL?
E.g. the canonical URL is set to jenkins.example.org, and the user accesses from http://jenkins/ (internally resolvable hostname, trying to authenticate from here will fail), they are automatically redirected to http://jenkins.example.org/ ? If this happened before the user was sent to the OpenID server for authentication, there wouldn't need to be any special handling on the return trip.
Tom Clift
added a comment - An error message asking to check configuration would be a good addition.
Alternatively, would there be any ill effects to automatically redirect users from a non-canonical URLs to the canonical URL?
E.g. the canonical URL is set to jenkins.example.org, and the user accesses from http://jenkins/ (internally resolvable hostname, trying to authenticate from here will fail), they are automatically redirected to http://jenkins.example.org/ ? If this happened before the user was sent to the OpenID server for authentication, there wouldn't need to be any special handling on the return trip. An error message asking to check configuration would be a good addition.
I think 67c3d2d accomplishes just that:
Unable to find an on-going OpenID session. Could it be that you have multiple host names for your Jenkins and you started the authentication in one host name and landed back on another? If so configure the correct Jenkins root URL so that those two host names will be the same
Still exists in 1.486 (OpenID sign-on from URL other than configured "Jenkins URL" causes NullPointerException). Reproduced using "Google Apps SSO (with OpenID)" auth option.