Loading...

Type: Bug
Resolution: Fixed
Priority: Major
Component/s: saml-plugin
Labels:
None

Similar Issues:

Show
Released As:
saml-1.1.1

When SAML plugin 1.1.0 is configured with defaults against Google Apps SAML provider, the HTTP POST to finishLogin constantly loops back to Google SSO page.

(Note: in browser Incognito mode works reliably every-time)

(Note: it does appear to work occasionally in non-Incognito/private mode also)

Request URL: https://jenkins.foobar.com/securityRealm/finishLogin
Request Method: POST
Status Code: 403 Forbidden
X-Hudson: 1.395
X-Jenkins: 2.138.2
Server: Jetty(9.4.z-SNAPSHOT)
Date: Fri, 26 Oct 2018 16:31:01 GMT
...

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://jenkins.foobar.com/securityRealm/finishLogin" ID="_8eefe9116d412f94226b8cad29172692" InResponseTo="_3dcey6sdrmsz1wxyccpfbzoa6q1wfep79znpfmc" IssueInstant="2018-10-26T16:31:01.336Z" Version="2.0">
  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=C03nydxon</saml2:Issuer>
  <saml2p:Status>
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </saml2p:Status>
  <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_f8b582ffe24652818c06f5d155527bb5" IssueInstant="2018-10-26T16:31:01.336Z" Version="2.0">
    <saml2:Issuer>https://accounts.google.com/o/saml2?idpid=C03nydxon</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
        <ds:Reference URI="#_f8b582ffe24652818c06f5d155527bb5">
          <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </ds:Transforms>
          <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
          <ds:DigestValue>vvX/gtRrRI9QnvDAKZSKUERiApsdxBgzeK9/dEaQNAM=</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>ITh99...==</ds:SignatureValue>
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509SubjectName>ST=California,C=US,OU=Google For Work,CN=Google,L=Mountain View,O=Google Inc.</ds:X509SubjectName>
          <ds:X509Certificate>MIIDd...</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </ds:Signature>
    <saml2:Subject>
      <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">abelodedenko@thrivepos.com</saml2:NameID>
      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml2:SubjectConfirmationData InResponseTo="_3dcey6sdrmsz1wxyccpfbzoa6q1wfep79znpfmc" NotOnOrAfter="2018-10-26T16:36:01.336Z" Recipient="https://jenkins.foobar.com/securityRealm/finishLogin"/>
      </saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotBefore="2018-10-26T16:26:01.336Z" NotOnOrAfter="2018-10-26T16:36:01.336Z">
      <saml2:AudienceRestriction>
        <saml2:Audience>https://jenkins.foobar.com/securityRealm/finishLogin</saml2:Audience>
      </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml2:AttributeStatement>
      <saml2:Attribute Name="firstName">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">Anton</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute Name="lastName">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">Belodedenko</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute Name="emailAddress">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">abelodedenko@thrivepos.com</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute Name="role">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">admins</saml2:AttributeValue>
      </saml2:Attribute>
    </saml2:AttributeStatement>
    <saml2:AuthnStatement AuthnInstant="2018-10-24T19:16:48.000Z" SessionIndex="_f8b582ffe24652818c06f5d155527bb5">
      <saml2:AuthnContext>
        <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
      </saml2:AuthnContext>
    </saml2:AuthnStatement>
  </saml2:Assertion>
</saml2p:Response>

In the Jenkins log, we see this for every attempt:

/var/log/jenkins/jenkins.log:

Oct 26, 2018 4:31:02 PM org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator validateSamlSSOResponse
SEVERE: Current assertion validation failed, continue with the next one
org.pac4j.saml.exceptions.SAMLException: Authentication issue instant is too old
 or in the future
        at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateAuthenticationStatements(SAML2DefaultResponseValidator.java:620)
...

Note above AuthnInstant is in the past:

<saml2:AuthnStatement AuthnInstant="2018-10-24T19:16:48.000Z" SessionIndex="_f8b582ffe24652818c06f5d155527bb5"> <saml2:AuthnContext>

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

image-2018-10-29-09-36-55-317.png
49 kB
2018-10-29 16:36
image-2018-10-29-09-38-04-170.png
49 kB
2018-10-29 16:38

is related to

JENKINS-50004 No more Oops!!! errors

Closed

links to

PR

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates