-
Bug
-
Resolution: Fixed
-
Minor
Jenkins: 2.76
Jenkins-SAML: 1.0.4
Our users are getting this exception every morning:
org.pac4j.saml.exceptions.SAMLException: No valid subject assertion found in response at stacktrace
- is related to
-
JENKINS-49923 Document about how to integrate with Azure SSO service
-
- Closed
-
-
JENKINS-50004 No more Oops!!! errors
-
- Closed
-
-
-
- Resolved
-
- links to
[JENKINS-48030] SAML Azure AD exception
Jan Gazda
created issue -
Jan Gazda
made changes -
| Description |
Original:
Our users are getting this exception every morning: org.pac4j.saml.exceptions.SAMLException: No valid subject assertion found in response at [^stacktrace] |
New:
Jenkins: 2.76 Jenkins-SAML: 1.0.4 Our users are getting this exception every morning: org.pac4j.saml.exceptions.SAMLException: No valid subject assertion found in response at [^stacktrace] |
Shawn Parslow
added a comment - My organization is seeing this behavior also, we are using Azure AD and SAML authentication with several servers/services and Jenkins is the only one that seems to be giving a problem. Everything works fine once configured but upon logging in (via SAML) and then leaving the system for some period of time (like overnight) and trying to log in again we are met with the same error. The only way to correct it seems to be to go to Azure and sign out of the user name (or clear all cache/cookies/etc) and then hit the Jenkins sign-in again (and re-auth to Azure AD). Its as if the azure signin is expiring but we dont notice this issue with any other systems. We looked at increasing the "Maximum Authentication Lifetime" in the SAML settings in Jenkins but it didnt change anything (also worth noting, the SAML finish login error is "No valid subject assertion found in response" and not one related to auth lifetime like "Authentication issue instant is too old or in the future"). Following...
Shawn Parslow
added a comment - My organization is seeing this behavior also, we are using Azure AD and SAML authentication with several servers/services and Jenkins is the only one that seems to be giving a problem. Everything works fine once configured but upon logging in (via SAML) and then leaving the system for some period of time (like overnight) and trying to log in again we are met with the same error. The only way to correct it seems to be to go to Azure and sign out of the user name (or clear all cache/cookies/etc) and then hit the Jenkins sign-in again (and re-auth to Azure AD). Its as if the azure signin is expiring but we dont notice this issue with any other systems. We looked at increasing the "Maximum Authentication Lifetime" in the SAML settings in Jenkins but it didnt change anything (also worth noting, the SAML finish login error is "No valid subject assertion found in response" and not one related to auth lifetime like "Authentication issue instant is too old or in the future"). Following... Shawn Parslow
added a comment - So I am not clear if this is a solution but I wanted to share (possibly get feedback). When SAML authentication to Azure AD occurs there are 2 tokens that come down...the Access Token and the Refresh Token. The max lifetime of the Access Token in Azure AD seems to be 24 hours where the refresh token can live for a maximum of 14 days (if the access token expires the refresh token is used to try to obtain a new access token). I am suspicious of the Jenkins setting in Configure Global Security > SAML Identity Provider Settings > Maximum Authentication Lifetime. The default here is the equivalent of 24 hours (86400 in seconds). This would seem to be ok with the Access Token but perhaps its interfering with the lifecycle of the Refresh Token. In my system I have tested upping this to 1209600 (which is 14 days in seconds/the max lifetime of the Refresh Token). Its worth noting that values can be tweaked in Azure also but it seems its via an AzureADPreview preview module to Get/Set AzureADPolicy.
Shawn Parslow
added a comment - So I am not clear if this is a solution but I wanted to share (possibly get feedback). When SAML authentication to Azure AD occurs there are 2 tokens that come down...the Access Token and the Refresh Token. The max lifetime of the Access Token in Azure AD seems to be 24 hours where the refresh token can live for a maximum of 14 days (if the access token expires the refresh token is used to try to obtain a new access token). I am suspicious of the Jenkins setting in Configure Global Security > SAML Identity Provider Settings > Maximum Authentication Lifetime. The default here is the equivalent of 24 hours (86400 in seconds). This would seem to be ok with the Access Token but perhaps its interfering with the lifecycle of the Refresh Token. In my system I have tested upping this to 1209600 (which is 14 days in seconds/the max lifetime of the Refresh Token). Its worth noting that values can be tweaked in Azure also but it seems its via an AzureADPreview preview module to Get/Set AzureADPolicy. nice feedback, probably I have to add a note about Azure AD and these tokens live cycle, probably enable the advanced "force authentication" setting is another workaround.
| Status | Original: Open [ 1 ] | New: In Progress [ 3 ] |
| Remote Link | New: This issue links to "PR (Web Link)" [ 19337 ] |
Jan Gazda
added a comment - Thanks I will try "force authentication" within our org. Code changed in jenkins
User: Ivan Fernandez Calvo
Path:
README.md
pom.xml
src/main/java/org/jenkinsci/plugins/saml/IdpMetadataConfiguration.java
src/main/java/org/jenkinsci/plugins/saml/OpenSAMLWrapper.java
src/main/java/org/jenkinsci/plugins/saml/SamlAdvancedConfiguration.java
src/main/java/org/jenkinsci/plugins/saml/SamlEncryptionData.java
src/main/java/org/jenkinsci/plugins/saml/SamlLogoutAction.java
src/main/java/org/jenkinsci/plugins/saml/SamlPluginConfig.java
src/main/java/org/jenkinsci/plugins/saml/SamlSecurityRealm.java
src/main/java/org/jenkinsci/plugins/saml/UpdateMetadataFromURLPeriodicWork.java
src/main/resources/org/jenkinsci/plugins/saml/IdpMetadataConfiguration/config.jelly
src/main/resources/org/jenkinsci/plugins/saml/SamlAdvancedConfiguration/config.jelly
src/main/resources/org/jenkinsci/plugins/saml/SamlEncryptionData/config.jelly
src/main/resources/org/jenkinsci/plugins/saml/SamlLogoutAction/index.jelly
src/main/resources/org/jenkinsci/plugins/saml/SamlSecurityRealm/config.jelly
src/main/webapp/help/metadataPeriod.html
src/main/webapp/help/metadataURL.html
src/test/java/org/jenkinsci/plugins/saml/OpenSamlWrapperTest.java
src/test/java/org/jenkinsci/plugins/saml/SamlFormValidationsTest.java
src/test/java/org/jenkinsci/plugins/saml/SamlSecurityRealmTest.java
http://jenkins-ci.org/commit/saml-plugin/d3c1f8d30966766f864ae2b0178bae89b5e94cc0
Log:
JENKINS-41907 obtain IdP Metadata from URL (#39)
- feature to get the IdP Metadata from an URL
- fix tests
- AsyncAperiodicWork to update the IdP Metadata
- support get ipd metadata from URL
- run after start
process the XML from the URL and save it without the XML declaration
- add XML declaration to IdP metadata
- fix test
add base acceptan test
- exclusion on acceptance-test-harness to be able to package
- changes before merge
- merge with master
- finally the form works and do not have extrange side efects, I hate jelly
- form validation methods refactor
- validate that XML and URL are not blank
- fix test
- cleanup
JENKINS-47880Navigating to /securityRealm/finishLogin manually shows an odd error
JENKINS-48030SAML Azure AD exception
JENKINS-46063do not allow blank passwords
Any progress in this? it's really annoying :/
Can I help somehow?