Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-63703

SAML 1.1.7 upgrade from 1.1.6 won't login in user

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: saml-plugin
    • Labels:
      None
    • Environment:
      Jenkins 2.249.1
    • Similar Issues:
    • Released As:
      saml-2.0.2

      Description

      When doing the upgrade to the SAML plugin all users get to the Jenkins screen but it says your were logged off.  Hit Login and takes you right back to logged off.

      2020-09-16 13:35:41.479+0000 [id=16]	WARNING	o.j.p.saml.SamlSecurityRealm#doFinishLogin: Unable to validate the SAML Response: Authentication response is not success ; actual urn:oasis:names:tc:SAML:2.0:status:Requester / Invalid message signature; nested exception is org.pac4j.saml.exceptions.SAMLException: Authentication response is not success ; actual urn:oasis:names:tc:SAML:2.0:status:Requester / Invalid message signature
      For more info check 'Maximum Authentication Lifetime' at https://github.com/jenkinsci/saml-plugin/blob/master/doc/CONFIGURE.md#configuring-plugin-settings
      If you have issues check the troubleshoting guide at https://github.com/jenkinsci/saml-plugin/blob/master/doc/TROUBLESHOOTING.md
      org.pac4j.saml.exceptions.SAMLException: Authentication response is not success ; actual urn:oasis:names:tc:SAML:2.0:status:Requester / Invalid message signature
      	at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateSamlProtocolResponse(SAML2DefaultResponseValidator.java:208)
      	at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validate(SAML2DefaultResponseValidator.java:132)
      	at org.pac4j.saml.sso.impl.SAML2WebSSOMessageReceiver.receiveMessage(SAML2WebSSOMessageReceiver.java:77)
      	at org.pac4j.saml.sso.impl.SAML2WebSSOProfileHandler.receive(SAML2WebSSOProfileHandler.java:35)
      	at org.pac4j.saml.client.SAML2Client.retrieveCredentials(SAML2Client.java:225)
      	at org.pac4j.saml.client.SAML2Client.retrieveCredentials(SAML2Client.java:60)
      	at org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:106)
      	at org.jenkinsci.plugins.saml.SamlProfileWrapper.process(SamlProfileWrapper.java:55)
      Caused: org.acegisecurity.BadCredentialsException: Authentication response is not success ; actual urn:oasis:names:tc:SAML:2.0:status:Requester / Invalid message signature; nested exception is org.pac4j.saml.exceptions.SAMLException: Authentication response is not success ; actual urn:oasis:names:tc:SAML:2.0:status:Requester / Invalid message signature
      	at org.jenkinsci.plugins.saml.SamlProfileWrapper.process(SamlProfileWrapper.java:59)
      	at org.jenkinsci.plugins.saml.SamlProfileWrapper.process(SamlProfileWrapper.java:35)
      	at org.jenkinsci.plugins.saml.OpenSAMLWrapper.get(OpenSAMLWrapper.java:64)
      	at org.jenkinsci.plugins.saml.SamlSecurityRealm.doFinishLogin(SamlSecurityRealm.java:311)
      	at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
      	at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:396)
      	at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:408)
      	at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:77)
      	at org.kohsuke.stapler.PreInvokeInterceptedFunction.invoke(PreInvokeInterceptedFunction.java:26)
      	at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:212)
      	at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:145)
      	at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:536)
      	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
      	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:766)
      	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:898)
      	at org.kohsuke.stapler.MetaClass$2.doDispatch(MetaClass.java:220)
      	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
      	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:766)
      	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:898)
      	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:694)
      	at org.kohsuke.stapler.Stapler.service(Stapler.java:240)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
      	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:763)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1631)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
      	at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:129)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at hudson.plugins.audit_trail.AuditTrailFilter.doFilter(AuditTrailFilter.java:113)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at jenkins.security.ResourceDomainFilter.doFilter(ResourceDomainFilter.java:76)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:248)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:61)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at com.smartcodeltd.jenkinsci.plugin.assetbundler.filters.LessCSS.doFilter(LessCSS.java:47)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:239)
      	at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:215)
      	at net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:88)
      	at org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:114)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at javax.servlet.FilterChain$doFilter.call(Unknown Source)
      	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48)
      	at javax.servlet.FilterChain$doFilter.call(Unknown Source)
      	at com.ceilfors.jenkins.plugins.jiratrigger.ExceptionLoggingFilter.doFilter(ExceptionLoggingFilter.groovy:29)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1618)
      	at org.jenkinsci.plugins.saml.SamlCrumbExclusion.process(SamlCrumbExclusion.java:26)
      	at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:127)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1618)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
      	at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:135)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
      	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
      	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1618)
      	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:51)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1618)
      	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1618)
      	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1618)
      	at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:36)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1618)
      	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:549)
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
      	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:578)
      	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
      	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
      	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1610)
      	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
      	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1369)
      	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
      	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:489)
      	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1580)
      	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
      	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1284)
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
      	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
      	at org.eclipse.jetty.server.Server.handle(Server.java:501)
      	at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383)
      	at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:556)
      	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375)
      	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:272)
      	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
      	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
      	at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
      	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
      	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
      	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
      	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
      	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:375)
      	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806)
      	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938)
      	at java.lang.Thread.run(Thread.java:745)
      

        Attachments

          Activity

          Hide
          ifernandezcalvo Ivan Fernandez Calvo added a comment - - edited

          From which version you upgrade? to which version you upgrade?

          Taking a look to the error is not related to the upgrade, the signature of the SAMLResponse message does not match with the expected signature, this means the IdP metadata does not have the correct key or it has expired, or the Key used to sign and encrypt from Jenkins has expired. In any case, does not seems an issue, it is something in the configuration and probably was failing before the upgrade.

          Caused: org.acegisecurity.BadCredentialsException: Authentication response is not success ; actual urn:oasis:names:tc:SAML:2.0:status:Requester / Invalid message signature; nested exception is org.pac4j.saml.exceptions.SAMLException: Authentication response is not success ; actual urn:oasis:names:tc:SAML:2.0:status:Requester / Invalid message signature
          
          Show
          ifernandezcalvo Ivan Fernandez Calvo added a comment - - edited From which version you upgrade? to which version you upgrade? Taking a look to the error is not related to the upgrade, the signature of the SAMLResponse message does not match with the expected signature, this means the IdP metadata does not have the correct key or it has expired, or the Key used to sign and encrypt from Jenkins has expired. In any case, does not seems an issue, it is something in the configuration and probably was failing before the upgrade. Caused: org.acegisecurity.BadCredentialsException: Authentication response is not success ; actual urn:oasis:names:tc:SAML:2.0:status:Requester / Invalid message signature; nested exception is org.pac4j.saml.exceptions.SAMLException: Authentication response is not success ; actual urn:oasis:names:tc:SAML:2.0:status:Requester / Invalid message signature
          Hide
          charbl2007 Larry Charbonneau added a comment -

          Ok, we are running 1.1.6 and all is good with the SAML plugin and users are logged in upon getting into Jenkins.  So everything is good.  When we upgrade the SAML plugin to version 1.1.7 and restart Jenkins, upon hitting Jenkins every user is presented a Jenkins screen that says you have logged off.  There is no way to log into Jenkins to try and resolve anything.  We are forced to drop back to version 1.1.6.  All we did was upgrade the SAML plugin .... did not change any config of the SAML settings.

          Show
          charbl2007 Larry Charbonneau added a comment - Ok, we are running 1.1.6 and all is good with the SAML plugin and users are logged in upon getting into Jenkins.  So everything is good.  When we upgrade the SAML plugin to version 1.1.7 and restart Jenkins, upon hitting Jenkins every user is presented a Jenkins screen that says you have logged off.  There is no way to log into Jenkins to try and resolve anything.  We are forced to drop back to version 1.1.6.  All we did was upgrade the SAML plugin .... did not change any config of the SAML settings.
          Hide
          ifernandezcalvo Ivan Fernandez Calvo added a comment -

          It is weird this version does not have significant changes in code, it removes some unused methods and updates a library https://github.com/jenkinsci/saml-plugin/releases/tag/saml-1.1.7.
          Did you restart after the plugin updated to grab the new lib?
          Did you clean the cookies in the browser and tried to log in again?

          I have tried to replicate the issue but without the exact parameters on your config is difficult, Could you attach the security part of the JENKINS_HOME/config.xml, and the JENKINS_HOME/saml-*.xml files? I need to see the config and the files generated so you can replace IP, DNS names, and keys with placeholders.

          Show
          ifernandezcalvo Ivan Fernandez Calvo added a comment - It is weird this version does not have significant changes in code, it removes some unused methods and updates a library https://github.com/jenkinsci/saml-plugin/releases/tag/saml-1.1.7 . Did you restart after the plugin updated to grab the new lib? Did you clean the cookies in the browser and tried to log in again? I have tried to replicate the issue but without the exact parameters on your config is difficult, Could you attach the security part of the JENKINS_HOME/config.xml, and the JENKINS_HOME/saml-*.xml files? I need to see the config and the files generated so you can replace IP, DNS names, and keys with placeholders.
          Hide
          charbl2007 Larry Charbonneau added a comment - - edited

          Added two files.  We did restart Jenkins after update.  I did not clear cookies in browser.

          Show
          charbl2007 Larry Charbonneau added a comment - - edited Added two files.  We did restart Jenkins after update.  I did not clear cookies in browser.
          Hide
          ifernandezcalvo Ivan Fernandez Calvo added a comment -

          I have configured an environment based on your configuration using SAML plugin 1.1.6, I have login with a user (tesla:password), then I have updated the SAML plugin to 1.1.7 and restart the instance. When the instance was ready I have login inside the instance without problems (https://github.com/kuisathaverat/jenkins-issues/tree/master/JENKINS-63703). So I can not replicate the issue, it should be something in the SAMLResponse but I can figure out what, you can try to test it in a test environment and increasing the log verbosity to grab the SAMLResponse and see what could be https://github.com/jenkinsci/saml-plugin/blob/master/doc/TROUBLESHOOTING.md#troubleshooting

          Show
          ifernandezcalvo Ivan Fernandez Calvo added a comment - I have configured an environment based on your configuration using SAML plugin 1.1.6, I have login with a user (tesla:password), then I have updated the SAML plugin to 1.1.7 and restart the instance. When the instance was ready I have login inside the instance without problems ( https://github.com/kuisathaverat/jenkins-issues/tree/master/JENKINS-63703 ). So I can not replicate the issue, it should be something in the SAMLResponse but I can figure out what, you can try to test it in a test environment and increasing the log verbosity to grab the SAMLResponse and see what could be https://github.com/jenkinsci/saml-plugin/blob/master/doc/TROUBLESHOOTING.md#troubleshooting
          Hide
          hibernal dan ginsberg added a comment -

          Same issue ( same log lines and same behavior ).  If I log in via adfs, saml works.  If I got to Jenkins and get redirected to adfs, log in fails.

          Verified that I do in fact have '-Dorg.apache.xml.security.ignoreLineBreaks=true'  in my JAVA_OPTS.

           

          broke on plugin update from 1.1.2 to 1.1.7

          Jenkins Version: 2.263.3

           

          Show
          hibernal dan ginsberg added a comment - Same issue ( same log lines and same behavior ).  If I log in via adfs, saml works.  If I got to Jenkins and get redirected to adfs, log in fails. Verified that I do in fact have '-Dorg.apache.xml.security.ignoreLineBreaks=true'  in my JAVA_OPTS.   broke on plugin update from 1.1.2 to 1.1.7 Jenkins Version: 2.263.3  
          Hide
          ifernandezcalvo Ivan Fernandez Calvo added a comment -

          Could you test the latest version 2.0.1? it uses a more recent version of pac4j and openSAML, I am interested in the exception to see if give me more info.

          Show
          ifernandezcalvo Ivan Fernandez Calvo added a comment - Could you test the latest version 2.0.1? it uses a more recent version of pac4j and openSAML, I am interested in the exception to see if give me more info.
          Hide
          ifernandezcalvo Ivan Fernandez Calvo added a comment -

          If you do not grab the SP metadata from the URL JENKISN_URL/securityRealm/metadata on your IdP check that is updated on your IdP, it can cause a misunderstanding between the SP(Jenkins) and the IdP(SAML service) due they have different options configured.

          Show
          ifernandezcalvo Ivan Fernandez Calvo added a comment - If you do not grab the SP metadata from the URL JENKISN_URL/securityRealm/metadata on your IdP check that is updated on your IdP, it can cause a misunderstanding between the SP(Jenkins) and the IdP(SAML service) due they have different options configured.
          Hide
          ifernandezcalvo Ivan Fernandez Calvo added a comment -

          this is probably resolved on saml-2.0.2, I think is related to encryption and signing options on the SP metadata, it requires updating the plugin and update the SP metadata in the IdP.

          Show
          ifernandezcalvo Ivan Fernandez Calvo added a comment - this is probably resolved on saml-2.0.2, I think is related to encryption and signing options on the SP metadata, it requires updating the plugin and update the SP metadata in the IdP.

            People

            Assignee:
            ifernandezcalvo Ivan Fernandez Calvo
            Reporter:
            charbl2007 Larry Charbonneau
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: