Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-63345

Jenkins SAML SLO fails due to CSRF

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Cannot Reproduce
    • Icon: Major Major
    • saml-plugin

      Once you configure the "Logout URL" field in the SAML plugin and hit the "Logout" button in the Jenkins UI, logout fails with a message:

      HTTP ERROR 403 No valid crumb was included in the request

      I believe this is due to the , now enforced, CSRF protection

      When I disable the SAML plugin and log on with a local Jenkins user, the logout functionality works as expected.

      As a workaround, I have tried to : 

      • Enable/disable the "proxy compatibility" checkbox for the Default Crumb Issuer
      • Add a reverse proxy (Nginx) to my setup in order to redirect the browser to the Identity Provider for Single Log Out
        The problem with this is that we bypass Jenkins' standard logout and I can't figure out how to reset the Jenkins session
      • Install and configure the  Strict Crumb Issuer Plugin which provides more options to customize the crumb validation

      None of the above worked for me. 
      The only thing that did work was to disable the CSRF protection completely. However, this is not a viable workaround for my production Jenkins instance.

      hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION=true

       

      Other issues seem to suggest that this issue is to be resolved by the plugin used.

            ifernandezcalvo Ivan Fernandez Calvo
            chris_dw Chris DeVille
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: