Could you check if in the JENKINS_HOME/saml-idp-metadata.xml if you have the attribute validUntil in the element EntityDescriptor? and check that your Maximum Authentication Lifetime will expire before this validUntil date and your Advanced Configuration/Maximum Session Lifetime is also less than your Maximum Authentication Lifetime

Advanced Configuration/Maximum Session Lifetime <= Maximum Authentication Lifetime < validUntil

Thanks for the response Ivan.

The saml-idp-metadata.xml file does not contain the attribute validUntil on my system where you mentioned or elsewhere in the file.

At present both the Maximum Session Lifetime and Maximum Authentication Lifetime values are set to 86400.

Would it be helpful if I posted the entire contents of the saml-idp-metadata.xml file on my system? No idea if it contains sensitive information.

We are also experiencing problems with 1.0.5, have tried making the max auth lifetime longer, and now enabled forced login. The forced authentication makes it possible to use Jenkins, but it is a major annoyance having to log in "all the time".

I am documenting how to configure Azure service to work with the plugin and there is something in the documentation about the Entry ID in the Idp Metadata XML that claim my attention there are two formats

• entityID="https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db45/"
• entityID="https://sts.windows.net/ {tenant}

  /"

the first one seems that could change with the time and the second one seems to be always the same, Could you check the Entry ID type you use in your IdP Metadata XML?

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-federation-metadata#entity-id

My configuration uses the Azure GUID in the entityID:
entityID="https://sts.windows.net/12345678-1234-1234-1234-123456abcdef/" 

FYI, this GUID represents the Directory ID of your Azure Active Directory in your subscription that you are authenticating against (you might want to scrub it from your comment).

shawnparslow both are C&P from https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-federation-metadata#entity-id so they should be not valid values.

ifernandezcalvo My configuration also uses a GUID, in the first format style.

Not my area but isn't this feature something to do with if you are, say, building a hosted application which allows multiple Azure AD users to utilise it?

I do not have all the context but the first is tenant-specific and the second one is tenant-independent, I am not sure if this token can change or not in the first choice.

ifernandezcalvo I see. I have made a note of the value for my system and I will check back every few days to see if it has changed. I'll report back in a week or so I guess?

I have just rechecked the value and it is the same now as it was on the 6th of this month.

Hope this helps