CLI and API call do not work with SAML Realm

This issue is archived. You can view it, but you can't modify it. Learn more

XMLWordPrintable

      Jenkins is configured with SAML 2.0 security realm (to connect to a Keycloak Identity Provider), and I can access to the GUI as a user 'jenkins_admin' created in Keycloak without problem.

      But when I try to get the "Crumb" to do API calls or to use "jenkins-cli.jar" by authenticating with the user/password of the keycloak user, I get errors as mentionned below :

       

      As Anonymous : OK

      $ java -jar jenkins-cli.jar -s $JENKINS_URL who-am-i

      Aug 05, 2019 1:16:21 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProvider
      INFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProvider
      Authenticated as: anonymous
      Authorities:

       

      $ wget -q --auth-no-challenge --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'

      Jenkins-Crumb:bc52953b81fdd89d445a6a898440a766%

       

      As SAML user : KO

      $ java -jar jenkins-cli.jar -s $JENKINS_URL -auth jenkins_admin:XXXXX who-am-i

      Aug 05, 2019 1:17:59 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProviderINFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProviderjava.io.IOException: Server returned HTTP response code: 401 for URL: https://<jenkinsUrl>/cli?remoting=false at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1894) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263) at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:72) at hudson.cli.CLI.plainHttpConnection(CLI.java:279) at hudson.cli.CLI._main(CLI.java:271) at hudson.cli.CLI.main(CLI.java:83)

       

      $ wget -q --auth-no-challenge{{ -user jenkins_admin --password XXXXX --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'}}

      <<NO OUTPUT>>

       

      I configured all permissions for this user in the authorization.

      When I switch back to a local user, all above commands work perfectly.

            Assignee:
            Ivan Fernandez Calvo
            Reporter:
            Guillaume Dupin
            Archiver:
            Jenkins Service Account

              Created:
              Updated:
              Resolved:
              Archived: