Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-63345

Jenkins SAML SLO fails due to CSRF

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Cannot Reproduce
    • Component/s: saml-plugin
    • Environment:
    • Similar Issues:

      Description

      Once you configure the "Logout URL" field in the SAML plugin and hit the "Logout" button in the Jenkins UI, logout fails with a message:

      HTTP ERROR 403 No valid crumb was included in the request

      I believe this is due to the , now enforced, CSRF protection

      When I disable the SAML plugin and log on with a local Jenkins user, the logout functionality works as expected.

      As a workaround, I have tried to : 

      • Enable/disable the "proxy compatibility" checkbox for the Default Crumb Issuer
      • Add a reverse proxy (Nginx) to my setup in order to redirect the browser to the Identity Provider for Single Log Out
        The problem with this is that we bypass Jenkins' standard logout and I can't figure out how to reset the Jenkins session
      • Install and configure the  Strict Crumb Issuer Plugin which provides more options to customize the crumb validation

      None of the above worked for me. 
      The only thing that did work was to disable the CSRF protection completely. However, this is not a viable workaround for my production Jenkins instance.

      hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION=true

       

      Other issues seem to suggest that this issue is to be resolved by the plugin used.

        Attachments

          Activity

          chris_dw Chris DeVille created issue -
          chris_dw Chris DeVille made changes -
          Field Original Value New Value
          Description Once you configure the "Logout URL" field in the SAML plugin and hit the "Logout" button in the Jenkins UI, logout fails with a message:
          h2. HTTP ERROR 403 No valid crumb was included in the request

          I believe this is due to the , now enforced, [CSRF protection|https://www.jenkins.io/doc/upgrade-guide/2.176/]

          When I disable the SAML plugin and log on with a local Jenkins user, the logout functionality works as expected.

          As a workaround, I have tried to : 
           * Enable/disable the "proxy compatibility" checkbox for the Default Crumb Issuer
           * Add a reverse proxy (Nginx) to my setup in order to redirect the browser to the Identity Provider for Single Log Out
           The problem with this is that we bypass Jenkins' standard logout and I can't figure out how to reset the Jenkins session
           * Install and configure the  {{Strict Crumb Issuer Plugin}} which provides more options to customize the crumb validation

          None of the above worked for me. 
           The only thing that did work was to disable the CSRF protection completely. However, this is not a viable workaround for my production Jenkins instance.

          {{hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION=true}}

           

          Other issues seem to suggest that this issue is to be resolved by the plugin used.
          Once you configure the "Logout URL" field in the SAML plugin and hit the "Logout" button in the Jenkins UI, logout fails with a message:
          h2. HTTP ERROR 403 No valid crumb was included in the request

          I believe this is due to the , now enforced, [CSRF protection|https://www.jenkins.io/doc/upgrade-guide/2.176/]

          When I disable the SAML plugin and log on with a local Jenkins user, the logout functionality works as expected.

          As a workaround, I have tried to : 
           * Enable/disable the "proxy compatibility" checkbox for the Default Crumb Issuer
           * Add a reverse proxy (Nginx) to my setup in order to redirect the browser to the Identity Provider for Single Log Out
           The problem with this is that we bypass Jenkins' standard logout and I can't figure out how to reset the Jenkins session
           * Install and configure the  {{Strict Crumb Issuer Plugin}} which provides more options to customize the crumb validation

          None of the above worked for me. 
           The only thing that did work was to disable the CSRF protection completely. However, this is not a viable workaround for my production Jenkins instance.

          {{hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION=true}}

           

          [Other issues|https://issues.jenkins-ci.org/browse/JENKINS-61375] seem to suggest that this issue is to be resolved by the plugin used.
          Hide
          ifernandezcalvo Ivan Fernandez Calvo added a comment -

          I cannot replicate it, I have configured the SAML plugin and a logout URL, after login, I click on the logout button and I am redirected to the logout URL without any issue. This is my test environment https://github.com/kuisathaverat/jenkins-issues/tree/master/JENKINS-63345

          Show
          ifernandezcalvo Ivan Fernandez Calvo added a comment - I cannot replicate it, I have configured the SAML plugin and a logout URL, after login, I click on the logout button and I am redirected to the logout URL without any issue. This is my test environment https://github.com/kuisathaverat/jenkins-issues/tree/master/JENKINS-63345
          ifernandezcalvo Ivan Fernandez Calvo made changes -
          Resolution Cannot Reproduce [ 5 ]
          Status Open [ 1 ] Closed [ 6 ]

            People

            Assignee:
            ifernandezcalvo Ivan Fernandez Calvo
            Reporter:
            chris_dw Chris DeVille
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: