When trying to login, Jenkins with SAML plugin fails with
A full logout in Outlook as described in
doesn't help. JENKINS-37289
The log jenkins/jenkins.log shows the following error:
It turned out that the IdP metadata changed and I needed to update the document. But that was not possible, because I couldn't login.
I had to give anonymous access to everything (adding <sid>anonymous</sid> in <assignedSIDs> for admin) to be able to change the metadata. Afterwards I had to remove all user data in jenkins/users/*.
Although there's a workaround, the procedure is very annoying (when the IdP updates metadata frequently) and is in my opinion especially difficult for security reasons since I need to give access for everyone (temporarily).
I would also think that
JENKINS-44144 could solve the problem when the metadata is automatically downloaded frequently (or at least on error).