Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-44992

SamlException after metadata update

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • saml-plugin
    • None
    • Jenkins 2.46.3
      SAML Plugin 0.14

      When trying to login, Jenkins with SAML plugin fails with

      org.pac4j.saml.exceptions.SamlException: No valid subject assertion found in response

      A full logout in Outlook as described in JENKINS-37289 doesn't help.

      The log jenkins/jenkins.log shows the following error:

      org.pac4j.saml.exceptions.SamlException: Signature is not trusted

      It turned out that the IdP metadata changed and I needed to update the document. But that was not possible, because I couldn't login.

      I had to give anonymous access to everything (adding <sid>anonymous</sid> in <assignedSIDs> for admin) to be able to change the metadata. Afterwards I had to remove all user data in jenkins/users/*.

      Although there's a workaround, the procedure is very annoying (when the IdP updates metadata frequently) and is in my opinion especially difficult for security reasons since I need to give access for everyone (temporarily).

      I would also think that JENKINS-44144 could solve the problem when the metadata is automatically downloaded frequently (or at least on error).

            ifernandezcalvo Ivan Fernandez Calvo
            mvoss Matthias Voss
            Votes:
            5 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: