-
Bug
-
Resolution: Fixed
-
Blocker
-
None
-
Jenkins 2.73
I upgraded the saml plugin to 1.0.3 and am now getting this stack trace.
org.pac4j.saml.exceptions.SAMLException: Authentication response is not success ; actual urn:oasis:names:tc:SAML:2.0:status:Responder at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateSamlProtocolResponse(SAML2DefaultResponseValidator.java:208) at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validate(SAML2DefaultResponseValidator.java:132) at org.pac4j.saml.sso.impl.SAML2WebSSOMessageReceiver.receiveMessage(SAML2WebSSOMessageReceiver.java:77) at org.pac4j.saml.sso.impl.SAML2WebSSOProfileHandler.receive(SAML2WebSSOProfileHandler.java:35) at org.pac4j.saml.client.SAML2Client.retrieveCredentials(SAML2Client.java:225) at org.pac4j.saml.client.SAML2Client.retrieveCredentials(SAML2Client.java:60) at org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:106) at org.jenkinsci.plugins.saml.SamlProfileWrapper.process(SamlProfileWrapper.java:53) at org.jenkinsci.plugins.saml.SamlProfileWrapper.process(SamlProfileWrapper.java:33) at org.jenkinsci.plugins.saml.OpenSAMLWrapper.get(OpenSAMLWrapper.java:65) at org.jenkinsci.plugins.saml.SamlSecurityRealm.doFinishLogin(SamlSecurityRealm.java:265) at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:636) at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343) at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184) at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117) at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715) Caused: javax.servlet.ServletException at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:765) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845) at org.kohsuke.stapler.MetaClass$3.doDispatch(MetaClass.java:209) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649) at org.kohsuke.stapler.Stapler.service(Stapler.java:238) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:841) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:135) at org.jenkinsci.plugins.corsfilter.AccessControlsFilter.doFilter(AccessControlsFilter.java:79) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:132) at org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:225) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:132) at io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:50) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:132) at io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:132) at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:237) at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:209) at net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:88) at org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:113) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:132) at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:132) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:138) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:49) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84) at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:92) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:564) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:317) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124) at org.eclipse.jetty.util.thread.Invocable.invokePreferred(Invocable.java:128) at org.eclipse.jetty.util.thread.Invocable$InvocableExecutor.invoke(Invocable.java:222) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:294) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:199) at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)
- links to
[JENKINS-46181] saml 1.0.3 breaks
You have two options, create a key with this command and configure it on Jenkins, or edit the IdP metadata on Jenkins removing the "<md:KeyDescriptor use='signing'>" and "<md:KeyDescriptor use='encription'>" section (I did not test it but I think it works). Do you know why your IdP does not accept a key with 24 hours of validity? I gonna change the code to generate a key valid for more time.
$JAVA_HOME/bin/keytool -genkeypair -alias saml-key -keypass <PASSWORD_KEY> -keystore $JENKINS_HOME/saml-key.jks -storepass <PASSWORD_KS> -keyalg RSA -keysize 2048 -validity 3650
Mark Jaroski
added a comment - Hi Ivan,
Unfortunately we still have this issue with version 1.0.4 of the plugin. Is there something else that we have to do after updating the plugin?
If I generate a new keystore does it matter what the store passphrase is? Is it used somewhere else in Jenkins? By way of explaination I didn't do the installation, I've just been called in to do the SAML integration, so I don't know the installation details (I can probably find them out).
thanks,
-mark
Mark Jaroski
added a comment - Hi Ivan,
Unfortunately we still have this issue with version 1.0.4 of the plugin. Is there something else that we have to do after updating the plugin?
If I generate a new keystore does it matter what the store passphrase is? Is it used somewhere else in Jenkins? By way of explaination I didn't do the installation, I've just been called in to do the SAML integration, so I don't know the installation details (I can probably find them out).
thanks,
-mark >Is there something else that we have to do after updating the plugin?
Did you updated the information of your SP in your IdP with the keys in the file JENKINS_HOME/saml-sp-metadata.xml?
>If I generate a new keystore does it matter what the store passphrase is?
No, it does not matter
>Is it used somewhere else in Jenkins?
it is only used by SAML Plugin
>By way of explaination I didn't do the installation, I've just been called in to do the SAML integration, so I don't know the installation details (I can probably find them out).
This key is used to sign and encrypt SAML messages between SP<->IdP, since 1.0.3 it needs to have one, so you IdP needs to know the key in saml-sp-metadata.xml to be able to sign/encrypt messages for your SP
Mark Jaroski
added a comment - Thanks for the quick response!
>Did you updated the information of your SP in your IdP with the keys in the file JENKINS_HOME/saml-sp-metadata.xml?
Yes, I've tried it a couple of different ways. The issue is that the signing and encrypting certificates it generates are always good for exactly one day.
> No, it does not matter
OK, so should I try to generate a saml-key.js with no passphrase? Because otherwise I don't know how Jenkins is going to read the keystore or the key, or should I specify that in the encryption section of the config?
> This key is used to sign and encrypt SAML messages between SP<->IdP, since 1.0.3 it needs to have one, so you IdP needs to know the key in saml-sp-metadata.xml to be able to sign/encrypt messages for your SP
And it works! The problem is that it's going to expire tomorrow afternoon. That would be fine, but because of an obscure transport layer issue I can't automate updates from the Jenkins metadata yet.
Thanks again!
Mark Jaroski
added a comment - Thanks for the quick response!
>Did you updated the information of your SP in your IdP with the keys in the file JENKINS_HOME/saml-sp-metadata.xml?
Yes, I've tried it a couple of different ways. The issue is that the signing and encrypting certificates it generates are always good for exactly one day.
> No, it does not matter
OK, so should I try to generate a saml-key.js with no passphrase ? Because otherwise I don't know how Jenkins is going to read the keystore or the key, or should I specify that in the encryption section of the config?
> This key is used to sign and encrypt SAML messages between SP<->IdP, since 1.0.3 it needs to have one, so you IdP needs to know the key in saml-sp-metadata.xml to be able to sign/encrypt messages for your SP
And it works! The problem is that it's going to expire tomorrow afternoon. That would be fine, but because of an obscure transport layer issue I can't automate updates from the Jenkins metadata yet.
Thanks again!
>OK, so should I try to generate a saml-key.js with no passphrase? Because otherwise I don't know how Jenkins is going to read the keystore or the key, or should I specify that in the encryption section of the config?
In the encryption section of the SAML Plugin configuration, you configure the path to the keystore, password, password for the key, and the key alias
Mark Jaroski
added a comment - Right. OK, I'll do that.
I would tend to think that for some future release your users in general will be better off with automatically generated self-signed certificates of a certain lifespan though. A lot of people make the mistake of using CA-signed certificates for this stuff, which is a really bad idea. Generating use-able key pairs automatically will stop most of them from doing that without their having to read a lot of documentation explaining exactly why it's a bad idea.
Mark Jaroski
added a comment - Right. OK, I'll do that.
I would tend to think that for some future release your users in general will be better off with automatically generated self-signed certificates of a certain lifespan though. A lot of people make the mistake of using CA-signed certificates for this stuff, which is a really bad idea . Generating use-able key pairs automatically will stop most of them from doing that without their having to read a lot of documentation explaining exactly why it's a bad idea.
in the next release, the life of the key is configurable https://github.com/jenkinsci/saml-plugin/commit/65edc532884304cb47a3e565dfbe108dc497c3d6
-Dorg.jenkinsci.plugins.saml.BundleKeyStore.validity=NUMBER_OF_DAYS
Mark Jaroski
added a comment - That's perfect! Thanks again. 
saml-sp-metadata.xml file generated has only one day cert life:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a4:8d:c0:2c:d4:27:8c:3a:7e:c5:7f:4f:c5:31:13:38:5c:8d:8a:dc
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=SAML-jenkins
Validity
Not Before: Sep 14 21:45:22 2017 GMT
Not After : Sep 15 21:45:22 2017 GMT
Subject: CN=SAML-jenkins
....
Our IdP won't accept it. Is there away to disable signing and encryption or provide our own sp_metadata.xml file?