• Icon: Bug Bug
    • Resolution: Not A Defect
    • Icon: Minor Minor
    • saml-plugin
    • Jenkins: 2.32.1
      SAML plugin: 0.12

      Hi,

      we wanted to use SAML plugin and connect it to our IDP provider "pingone". After putting in the Metadata and the URI's on Jenkins side and the URLS on the IDP side, I was able to access / login Jenkins from IDP's portal site. However I am not able to login into Jenkins via its URL.

      The reason is probably that SAML plugin does not send the IDPID to the when communicating with IDP.

      For example SAML sends this URL to PingOne:
      https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?SAMLRequest=pVLBbtswDLsZZ%2BtcM7xPI212Q4sNXsIhfayiu4dtDLP4B&RelayState=https%3A%2F%2Fdm-jenkins.dmglobal.com%2Fjenkins%2FsecurityRealm%2FfinishLogin

      Other applications using the same IDP sends this URL:
      https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=f8de2c8f-1e77-4698-a952-0b9feec61626&SAMLRequest=hZLNbts%2FX7X5Aw%3D%3D&RelayState=ss%3Amem%3Ad2e334c7131a9ee3f33eb5a41f1218b89c8e91805ba76597463c935195faf23c

      Can you fix this issue, so that the IDPID is sent?
      Let me attach a slightly modified Metadata file to this ticket.

      Any help would be appreciated.
      Kind regards
      Tom

          [JENKINS-41013] IDPID not send to IDP

          Tom Pfueller created issue -

          Ivan Fernandez Calvo added a comment - - edited

          idpid it is not an attribute of SAML 2.0 it is used only by pingone and reviewing the documentation, it is generated by him self

          pingone.idp.id, pingone.idpidThe id of the PingOne SSO for SaaS Apps customer connection associated with the currently authenticating user.

          • If your application is using the REST API, this value is returned in JSON/XML, and has the format "pingone.idp.id" (note the two periods).
          • If your application is using SAML, this value is always returned in the attribute statement as "pingone.idpid" (note the single period). This value is always returned by PingOne, so you don't need to configure an attribute mapping.

           

           

          I am going to check if it is possible to generate attributes automatically from metadata, but may be the metadata required modifications like it is described here https://docs.pivotal.io/p-identity/1-1/pingone/config-sso.html

           https://docs.pingidentity.com/bundle/p1_attributesReference_cas/page/attributesRef.html

          Ivan Fernandez Calvo added a comment - - edited idpid it is not an attribute of SAML 2.0 it is used only by pingone and reviewing the documentation, it is generated by him self pingone.idp.id, pingone.idpidThe id of the PingOne SSO for SaaS Apps customer connection associated with the currently authenticating user. If your application is using the REST API, this value is returned in JSON/XML, and has the format "pingone.idp.id" (note the two periods). If your application is using SAML, this value is always returned in the attribute statement as "pingone.idpid" (note the single period). This value is always returned by PingOne, so you don't need to configure an attribute mapping.     I am going to check if it is possible to generate attributes automatically from metadata, but may be the metadata required modifications like it is described here  https://docs.pivotal.io/p-identity/1-1/pingone/config-sso.html   https://docs.pingidentity.com/bundle/p1_attributesReference_cas/page/attributesRef.html

          Could you check that you used "https://dm-jenkins.dmglobal.com/jenkins/securityRealm/finishLogin" as URL of the Service provider on PingOne?

          Ivan Fernandez Calvo added a comment - Could you check that you used "https://dm-jenkins.dmglobal.com/jenkins/securityRealm/finishLogin" as URL of the Service provider on PingOne?
          Ivan Fernandez Calvo made changes -
          Resolution New: Not A Defect [ 7 ]
          Status Original: Open [ 1 ] New: Resolved [ 5 ]

            ifernandezcalvo Ivan Fernandez Calvo
            tom_pfueller Tom Pfueller
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: