Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-64468

Group retrieval via URL not working

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      We are using the SAML plugin to enable SSO with Active Directory:

      securityRealm:
          saml:
            advancedConfiguration:
              forceAuthn: true
              spEntityId: "spn:<app-id>"
            binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
            displayNameAttributeName: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
            emailAttributeName: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
            groupsAttributeName: "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
            idpMetadataConfiguration:
              period: 1440
              url: "https://login.microsoftonline.com/<not-sure-if-this-needs-to-be-secret>/federationmetadata/2007-06/federationmetadata.xml?appid=<app-id>"
            maximumAuthenticationLifetime: 86400
            usernameAttributeName: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
            usernameCaseConversion: "lowercase"
      

      We have a user that is part of many AD groups such that the SAML token upon authentication contains a URL to further retrieve the user's group list:

      <Attribute Name="http://schemas.microsoft.com/claims/groups.link"><AttributeValue>https://graph.windows.net/<not-sure-if-this-needs-to-be-secret>/users/<id>/getMemberObjects</AttributeValue></Attribute>
      

      But the plugin does not appear to properly retrieve the groups from the linked URL.  Is this a bug, or am I missing something in the plugin configuration?

        Attachments

          Activity

          cmamigonian Camden Mamigonian created issue -
          Hide
          ifernandezcalvo Ivan Fernandez Calvo added a comment -

          This is a standard SAML response if you take a look at the AttubuteStament you can see how the groups should be passed, what you (your AD) is doing is using an attribute to pass a link where the groups are, this is a weird unsupported way to pass groups, I guess that only Microsoft supports it.

          <Response
              xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
              Destination="https://JENKINS_SERVER/securityRealm/finishLogin"
              ID="_c266abbff66bba8bcd763443655ea1c5861d"
              InResponseTo="_75a5cb8c9514c22751e05b29e698e0e8"
              IssueInstant="2016-04-18T19:04:53Z"
              Version="2.0">
              <ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion"
                  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://SAML_SERVER/idp/</ns1:Issuer>
              <Status>
                  <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
              </Status>
              <ns2:Assertion xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_4d406d6505202232c48a50726c55d58f548c"            
                  IssueInstant="2016-04-18T19:04:53Z" Version="2.0">
                  <ns2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://SAML_SERVER/idp/</ns2:Issuer>
                  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                      <ds:SignedInfo>
                          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                          <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                          <ds:Reference URI="#_4d406d6505202232c48a50726c55d58f548c">
                              <ds:Transforms>
                                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                              </ds:Transforms>
                              <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                              <ds:DigestValue>B+nZTeDSNSpigeyDg2475274242ARIw6ttEXHY3PMk=</ds:DigestValue>
                          </ds:Reference>
                      </ds:SignedInfo>
                      <ds:SignatureValue>VTCuyYj09/CbuU7+pX6g3wjTlocTH83RkWEG6xy2t1ZSDPS0Q0gjfmh8/HMNSOoold9i2zY5Qi4/idZ7yKBe0nR7WDZDPkc3FSovvX73FThJEZ5aJk/6uhr5yUzj3qypA9bLsHdMO75SfaDzotb0c4mIBWLuPX245sZretx6pNRHDYntgQB9ikYC6UQPuSwn1+p/iq1B+GnbNp7m+og0rL5ooc7jPnpqiWBn2648ZCSsnoemrCiSmDVR90XJ7GFEz27W7BH8ZH49DdML6xmqiBvWmZC7LpfkcoF54mLZMdVYM=
                      </ds:SignatureValue>
                      <ds:KeyInfo>
                          <ds:X509Data>
                              <ds:X509Certificate>gpEQ4+mCQGMhwPtrqp1fPXpocgNZ9NkH/FZ62bzYTswVBF6VJPm5VuslmxGTVOMBd/qNKin/xlX2nL5J4mABXZ3OrUcyX//cwK3zqyS2Gn9LaAQnwOdkpXVQzeufCS0agrpfOtEKwWHgbs1m4Dfcl82SWOSbBZhLOUmtDMa0y1DqMB2nxVwJY8ULD+p3HUJGnGxx7JvGBo3OM/tZ3DC7zC0QGlPfuMFPT1GuKsdG11OZ1kWNa9XxQj8pOpPDuiBrxCJDz5vM00ThgnkORITYSkWPO05oe+RBms/qcfYH5JOiR5NJMxojAv2jqvAT8YES1l376yaHWEampzH1nWdW9XQvpr9l297yK7GxGU3Pj4M7ryalYXyH/5tqGFkcQQsX6TDUcmy4M6DlRTe3f7U3duEA1KlQApShDU7lYt41g8vv7pVFN14z9ZNhztJIErmkvR0H/QHR2SVg+WWM0Ql+rMzgsYVfPa4xCIpfEmiWujeeboJay+492k3Im5XbUUCG49UHigyoaAbLIwrCpnFLd3bGlAjun75WWbAHlaILkXAhTNMSPpbWBXrfhwgLwYK5zLGgkpsQPKzzAvQoLHT0wP0R1CbHWGmyNE45ArY3QK0BFb0IRxysNjYIu276JkDjxpdK93ofnWImwE9NLxWh/rqJ2IJ/+6dl8tnYVoT1adg=
                              </ds:X509Certificate>
                          </ds:X509Data>
                      </ds:KeyInfo>
                  </ds:Signature>
                  <!-- User information -->
                  <ns2:Subject>
                      <ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">USER_NAME</ns2:NameID>
                      <ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                      <ns2:SubjectConfirmationData InResponseTo="_75a5cb8c9514c22751e05b29e698e0e8" NotOnOrAfter="2016-04-18T19:06:23Z"   
                          Recipient="https://JENKINS_SERVER/securityRealm/finishLogin"/>
                      </ns2:SubjectConfirmation>
                  </ns2:Subject>
                  <!-- expiration of session -->
                  <ns2:Conditions NotBefore="2016-04-18T19:04:23Z" NotOnOrAfter="2016-04-18T19:06:23Z">
                      <ns2:AudienceRestriction>
                          <ns2:Audience>https://JENKINS_SERVER/securityRealm/finishLogin</ns2:Audience>
                      </ns2:AudienceRestriction>
                  </ns2:Conditions>
                  <ns2:AuthnStatement AuthnInstant="2016-04-18T19:04:53Z" SessionIndex="/47O5ynZIyr+2365762LqnEmAZs=JI+mPg=="
                      SessionNotOnOrAfter="2016-04-18T19:06:23Z">
                      <ns2:AuthnContext>
                          <ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>
                          </ns2:AuthnContext>
                  </ns2:AuthnStatement>
                  <!-- Authorization Groups -->
                  <ns2:AttributeStatement>
                      <ns2:Attribute name="groups">
                          <ns2:AttributeValue>groupOne</ns2:AttributeValue>
                          <ns2:AttributeValue>groupTwo</ns2:AttributeValue>
                          <ns2:AttributeValue>groupThree</ns2:AttributeValue>                       
                      </ns2:Attribute>
                  </ns2:AttributeStatement>
              </ns2:Assertion>
          </Response>
          
          Show
          ifernandezcalvo Ivan Fernandez Calvo added a comment - This is a standard SAML response if you take a look at the AttubuteStament you can see how the groups should be passed, what you (your AD) is doing is using an attribute to pass a link where the groups are, this is a weird unsupported way to pass groups, I guess that only Microsoft supports it. <Response xmlns= "urn:oasis:names:tc:SAML:2.0:protocol" Destination= "https: //JENKINS_SERVER/securityRealm/finishLogin" ID= "_c266abbff66bba8bcd763443655ea1c5861d" InResponseTo= "_75a5cb8c9514c22751e05b29e698e0e8" IssueInstant= "2016-04-18T19:04:53Z" Version= "2.0" > <ns1:Issuer xmlns:ns1= "urn:oasis:names:tc:SAML:2.0:assertion" Format= "urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >https: //SAML_SERVER/idp/</ns1:Issuer> <Status> <StatusCode Value= "urn:oasis:names:tc:SAML:2.0:status:Success" /> </Status> <ns2:Assertion xmlns:ns2= "urn:oasis:names:tc:SAML:2.0:assertion" ID= "_4d406d6505202232c48a50726c55d58f548c" IssueInstant= "2016-04-18T19:04:53Z" Version= "2.0" > <ns2:Issuer Format= "urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >https: //SAML_SERVER/idp/</ns2:Issuer> <ds:Signature xmlns:ds= "http: //www.w3.org/2000/09/xmldsig#" > <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm= "http: //www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm= "http: //www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI= "#_4d406d6505202232c48a50726c55d58f548c" > <ds:Transforms> <ds:Transform Algorithm= "http: //www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm= "http: //www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm= "http: //www.w3.org/2001/04/xmlenc#sha256" /> <ds:DigestValue>B+nZTeDSNSpigeyDg2475274242ARIw6ttEXHY3PMk=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>VTCuyYj09/CbuU7+pX6g3wjTlocTH83RkWEG6xy2t1ZSDPS0Q0gjfmh8/HMNSOoold9i2zY5Qi4/idZ7yKBe0nR7WDZDPkc3FSovvX73FThJEZ5aJk/6uhr5yUzj3qypA9bLsHdMO75SfaDzotb0c4mIBWLuPX245sZretx6pNRHDYntgQB9ikYC6UQPuSwn1+p/iq1B+GnbNp7m+og0rL5ooc7jPnpqiWBn2648ZCSsnoemrCiSmDVR90XJ7GFEz27W7BH8ZH49DdML6xmqiBvWmZC7LpfkcoF54mLZMdVYM= </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>gpEQ4+mCQGMhwPtrqp1fPXpocgNZ9NkH/FZ62bzYTswVBF6VJPm5VuslmxGTVOMBd/qNKin/xlX2nL5J4mABXZ3OrUcyX //cwK3zqyS2Gn9LaAQnwOdkpXVQzeufCS0agrpfOtEKwWHgbs1m4Dfcl82SWOSbBZhLOUmtDMa0y1DqMB2nxVwJY8ULD+p3HUJGnGxx7JvGBo3OM/tZ3DC7zC0QGlPfuMFPT1GuKsdG11OZ1kWNa9XxQj8pOpPDuiBrxCJDz5vM00ThgnkORITYSkWPO05oe+RBms/qcfYH5JOiR5NJMxojAv2jqvAT8YES1l376yaHWEampzH1nWdW9XQvpr9l297yK7GxGU3Pj4M7ryalYXyH/5tqGFkcQQsX6TDUcmy4M6DlRTe3f7U3duEA1KlQApShDU7lYt41g8vv7pVFN14z9ZNhztJIErmkvR0H/QHR2SVg+WWM0Ql+rMzgsYVfPa4xCIpfEmiWujeeboJay+492k3Im5XbUUCG49UHigyoaAbLIwrCpnFLd3bGlAjun75WWbAHlaILkXAhTNMSPpbWBXrfhwgLwYK5zLGgkpsQPKzzAvQoLHT0wP0R1CbHWGmyNE45ArY3QK0BFb0IRxysNjYIu276JkDjxpdK93ofnWImwE9NLxWh/rqJ2IJ/+6dl8tnYVoT1adg= </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <!-- User information --> <ns2:Subject> <ns2:NameID Format= "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" >USER_NAME</ns2:NameID> <ns2:SubjectConfirmation Method= "urn:oasis:names:tc:SAML:2.0:cm:bearer" > <ns2:SubjectConfirmationData InResponseTo= "_75a5cb8c9514c22751e05b29e698e0e8" NotOnOrAfter= "2016-04-18T19:06:23Z" Recipient= "https: //JENKINS_SERVER/securityRealm/finishLogin" /> </ns2:SubjectConfirmation> </ns2:Subject> <!-- expiration of session --> <ns2:Conditions NotBefore= "2016-04-18T19:04:23Z" NotOnOrAfter= "2016-04-18T19:06:23Z" > <ns2:AudienceRestriction> <ns2:Audience>https: //JENKINS_SERVER/securityRealm/finishLogin</ns2:Audience> </ns2:AudienceRestriction> </ns2:Conditions> <ns2:AuthnStatement AuthnInstant= "2016-04-18T19:04:53Z" SessionIndex= "/47O5ynZIyr+2365762LqnEmAZs=JI+mPg==" SessionNotOnOrAfter= "2016-04-18T19:06:23Z" > <ns2:AuthnContext> <ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef> </ns2:AuthnContext> </ns2:AuthnStatement> <!-- Authorization Groups --> <ns2:AttributeStatement> <ns2:Attribute name= "groups" > <ns2:AttributeValue>groupOne</ns2:AttributeValue> <ns2:AttributeValue>groupTwo</ns2:AttributeValue> <ns2:AttributeValue>groupThree</ns2:AttributeValue> </ns2:Attribute> </ns2:AttributeStatement> </ns2:Assertion> </Response>
          ifernandezcalvo Ivan Fernandez Calvo made changes -
          Field Original Value New Value
          Resolution Not A Defect [ 7 ]
          Status Open [ 1 ] Closed [ 6 ]
          Hide
          cmamigonian Camden Mamigonian added a comment -

          Yes, for users in less than 250 groups (or something) it shows like that, but if you're in too many it will pass a link.  So I understand, you're saying this linked way is unsupported by the plugin?  If so, is there a way to support it?

          Show
          cmamigonian Camden Mamigonian added a comment - Yes, for users in less than 250 groups (or something) it shows like that, but if you're in too many it will pass a link.  So I understand, you're saying this linked way is unsupported by the plugin?  If so, is there a way to support it?
          Hide
          ifernandezcalvo Ivan Fernandez Calvo added a comment -

          this way to pass the groups is not standard, AFAIK it is only implemented by Microsoft, this SAML plugin implements standards so it will not support weird implementations from vendors. So there is no way to configure SAML plugin to grab those groups, also this link probably needs authentication what makes weirder to get them because SAML does not know any password or anything about your AD and should be in that way. My recommendation is to use the AD plugin to authenticate or not use users with more than 250 groups to access the CI.

          Show
          ifernandezcalvo Ivan Fernandez Calvo added a comment - this way to pass the groups is not standard, AFAIK it is only implemented by Microsoft, this SAML plugin implements standards so it will not support weird implementations from vendors. So there is no way to configure SAML plugin to grab those groups, also this link probably needs authentication what makes weirder to get them because SAML does not know any password or anything about your AD and should be in that way. My recommendation is to use the AD plugin to authenticate or not use users with more than 250 groups to access the CI.

            People

            Assignee:
            ifernandezcalvo Ivan Fernandez Calvo
            Reporter:
            cmamigonian Camden Mamigonian
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: