Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-58809

CLI and API call do not work with SAML Realm

XMLWordPrintable

      Jenkins is configured with SAML 2.0 security realm (to connect to a Keycloak Identity Provider), and I can access to the GUI as a user 'jenkins_admin' created in Keycloak without problem.

      But when I try to get the "Crumb" to do API calls or to use "jenkins-cli.jar" by authenticating with the user/password of the keycloak user, I get errors as mentionned below :

       

      As Anonymous : OK

      $ java -jar jenkins-cli.jar -s $JENKINS_URL who-am-i

      Aug 05, 2019 1:16:21 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProvider
      INFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProvider
      Authenticated as: anonymous
      Authorities:

       

      $ wget -q --auth-no-challenge --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'

      Jenkins-Crumb:bc52953b81fdd89d445a6a898440a766%

       

      As SAML user : KO

      $ java -jar jenkins-cli.jar -s $JENKINS_URL -auth jenkins_admin:XXXXX who-am-i

      Aug 05, 2019 1:17:59 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProviderINFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProviderjava.io.IOException: Server returned HTTP response code: 401 for URL: https://<jenkinsUrl>/cli?remoting=false at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1894) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263) at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:72) at hudson.cli.CLI.plainHttpConnection(CLI.java:279) at hudson.cli.CLI._main(CLI.java:271) at hudson.cli.CLI.main(CLI.java:83)

       

      $ wget -q --auth-no-challenge{{ -user jenkins_admin --password XXXXX --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'}}

      <<NO OUTPUT>>

       

      I configured all permissions for this user in the authorization.

      When I switch back to a local user, all above commands work perfectly.

            ifernandezcalvo Ivan Fernandez Calvo
            yogeek Guillaume Dupin
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: