-
Type:
Bug
-
Resolution: Fixed
-
Priority:
Minor
-
Component/s: saml-plugin
-
Environment:Jenkins 2.46.3
SAML Plugin 0.14
When trying to login, Jenkins with SAML plugin fails with
org.pac4j.saml.exceptions.SamlException: No valid subject assertion found in response
A full logout in Outlook as described in JENKINS-37289
The log jenkins/jenkins.log shows the following error:
org.pac4j.saml.exceptions.SamlException: Signature is not trusted
It turned out that the IdP metadata changed and I needed to update the document. But that was not possible, because I couldn't login.
I had to give anonymous access to everything (adding <sid>anonymous</sid> in <assignedSIDs> for admin) to be able to change the metadata. Afterwards I had to remove all user data in jenkins/users/*.
Although there's a workaround, the procedure is very annoying (when the IdP updates metadata frequently) and is in my opinion especially difficult for security reasons since I need to give access for everyone (temporarily).
I would also think that JENKINS-44144 could solve the problem when the metadata is automatically downloaded frequently (or at least on error).
- is blocked by
-
JENKINS-44144 Add Service Provider Metadata via URL
-
- Resolved
-
-
JENKINS-41907 Evaluate to obtain IdP Metadata from URL
-
- Resolved
-
- is related to
-
-
- Resolved
-
-
-
- Closed
-
- links to
