Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-61655

SAML plugin wrong configuration

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Not A Defect
    • Component/s: saml-plugin
    • Labels:
      None
    • Environment:
      production, runing jenkins in a container , SAML plugin 1.1.5.
      jenkins.bre.mcd.com
    • Similar Issues:

      Description

      Steps: 
      1- Logged in as admin to jenkins (jenkins.bre.mcd.com)
      2- Installed SAML plugin 1.1.5
      3- Configured plugin with idP metadata: (https://gasstg.mcd.com/federationmetadata/2007-06/federationmetadata.xml) 
      4- Was logged out of Jenkins and now can't log back in, most likely as was testing the metadata and didn't want it to take effect 

      Full stack trace below, when trying to access jenkins.bre.mcd.com via browser

      Stack trace

      org.pac4j.saml.exceptions.SAMLException: No idp entityId found at org.pac4j.saml.metadata.SAML2IdentityProviderMetadataResolver.resolve(SAML2IdentityProviderMetadataResolver.java:107) at org.pac4j.saml.client.SAML2Client.initIdentityProviderMetadataResolver(SAML2Client.java:170) at org.pac4j.saml.client.SAML2Client.internalInit(SAML2Client.java:115) at org.pac4j.core.util.InitializableWebObject.init(InitializableWebObject.java:24) at org.jenkinsci.plugins.saml.OpenSAMLWrapper.createSAML2Client(OpenSAMLWrapper.java:153) at org.jenkinsci.plugins.saml.SamlRedirectActionWrapper.process(SamlRedirectActionWrapper.java:45) at org.jenkinsci.plugins.saml.SamlRedirectActionWrapper.process(SamlRedirectActionWrapper.java:30) at org.jenkinsci.plugins.saml.OpenSAMLWrapper.get(OpenSAMLWrapper.java:64) at org.jenkinsci.plugins.saml.SamlSecurityRealm.doCommenceLogin(SamlSecurityRealm.java:257) at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627) at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:396) at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:408) at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:212) at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:145) at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:535) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747) Caused: javax.servlet.ServletException at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:797) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878) at org.kohsuke.stapler.MetaClass$2.doDispatch(MetaClass.java:219) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:676) at org.kohsuke.stapler.Stapler.service(Stapler.java:238) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:873) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154) at org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:246) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at jenkins.security.ResourceDomainFilter.doFilter(ResourceDomainFilter.java:76) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:61) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:128) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:105) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84) at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:135) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1700) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1667) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:505) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:698) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:804) at java.lang.Thread.run(Thread.java:748)
      

        Attachments

          Activity

          Hide
          ifernandezcalvo Ivan Fernandez Calvo added a comment -

          Could you please attach the IdP metadata? Can you check if the JENKINS_HOME/saml-ipd-metadata.xml is created?

          Could you check if the IdP metadata file looks like this one?
          https://github.com/jenkinsci/saml-plugin/blob/master/doc/TROUBLESHOOTING.md#idp-metadata

          The error org.pac4j.saml.exceptions.SAMLException: No idp entityId found at suggest me that EntityDescriptor section is not correct, the entityID is not set or it is incorrect.

          <EntityDescriptor xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance"
              xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
              entityID="https://SAML_SERVER/idp/">
          
          Show
          ifernandezcalvo Ivan Fernandez Calvo added a comment - Could you please attach the IdP metadata? Can you check if the JENKINS_HOME/saml-ipd-metadata.xml is created? Could you check if the IdP metadata file looks like this one? https://github.com/jenkinsci/saml-plugin/blob/master/doc/TROUBLESHOOTING.md#idp-metadata The error org.pac4j.saml.exceptions.SAMLException: No idp entityId found at suggest me that EntityDescriptor section is not correct, the entityID is not set or it is incorrect. <EntityDescriptor xmlns:xsi= "https: //www.w3.org/2001/XMLSchema-instance" xmlns= "urn:oasis:names:tc:SAML:2.0:metadata" entityID= "https: //SAML_SERVER/idp/" >
          Hide
          jkamel johnny kamel added a comment -

          Thank you Ivan Fernandez Calvo attached is the idp metadata, however it is a staging metadata so we might want to disable SAML altogether and revert back to logging in without SAML  instead of trying to keep SAML enabled and try to rely on this metadata. 
          I will follow up with the dev team to see if the JENKINS_HOME/saml-idp-metadata.xml is created. 
          With the information you have so far is it possible to know how we can disable the plugin altogether to revert back to jenkins user credentials  before we try at a later time to use the SAML plugin? Like you mentioned, the metadata URL may not be correct as provided

          Show
          jkamel johnny kamel added a comment - Thank you Ivan Fernandez Calvo attached is the idp metadata, however it is a staging metadata so we might want to disable SAML altogether and revert back to logging in without SAML  instead of trying to keep SAML enabled and try to rely on this metadata.  I will follow up with the dev team to see if the JENKINS_HOME/saml-idp-metadata.xml is created.  With the information you have so far is it possible to know how we can disable the plugin altogether to revert back to jenkins user credentials  before we try at a later time to use the SAML plugin? Like you mentioned, the metadata URL may not be correct as provided
          Hide
          ifernandezcalvo Ivan Fernandez Calvo added a comment -

          To back to the previous Security realm you need a backup of the JENKINS_HOME/config.xml file, change it and restart Jenkins. If you do not have that file, the only way it is to disable security and configure the security realm again https://jenkins.io/doc/book/system-administration/security/#disabling-security

          Show
          ifernandezcalvo Ivan Fernandez Calvo added a comment - To back to the previous Security realm you need a backup of the JENKINS_HOME/config.xml file, change it and restart Jenkins. If you do not have that file, the only way it is to disable security and configure the security realm again https://jenkins.io/doc/book/system-administration/security/#disabling-security

            People

            Assignee:
            ifernandezcalvo Ivan Fernandez Calvo
            Reporter:
            jkamel johnny kamel
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: