-
Bug
-
Resolution: Fixed
-
Major
-
Jenkins: 2.282
OS: Linux (Ubuntu 18.04) - 5.4.0-1038-aws
---
google-login:1.6
pipeline-milestone-step:1.3.2
blueocean-github-pipeline:1.24.4
workflow-basic-steps:2.23
favorite:2.3.3
workflow-aggregator:2.6
blueocean-display-url:2.4.1
sse-gateway:1.24
dashboard-view:2.14
blueocean-dashboard:1.24.4
configuration-as-code:1.47
momentjs:1.1.1
workflow-scm-step:2.12
rebuild:1.32
junit:1.48
envinject-api:1.7
global-build-stats:1.5
blueocean-config:1.24.4
docker-commons:1.17
built-on-column:1.1
windows-slaves:1.7
ssh-slaves:1.31.5
apache-httpcomponents-client-4-api:4.5.13-1.0
conditional-buildstep:1.4.1
pipeline-stage-step:2.5
jaxb:2.3.0.1
blueocean-pipeline-scm-api:1.24.4
script-security:1.76
blueocean-rest:1.24.4
blueocean-pipeline-editor:1.24.4
blueocean-jwt:1.24.4
blueocean-commons:1.24.4
pipeline-github-lib:1.0
icon-shim:3.0.0
javadoc:1.6
plain-credentials:1.7
kubernetes:1.29.2
oauth-credentials:0.4
antisamy-markup-formatter:2.1
groovy-postbuild:2.5
git-parameter:0.9.13
saml:1.1.7
jquery3-api:3.5.1-3
blueocean-core-js:1.24.4
throttle-concurrents:2.1
ws-cleanup:0.39
matrix-auth:2.6.5
mailer:1.32.1
slack:2.45
blueocean-personalization:1.24.4
jquery-detached:1.2.1
parameterized-trigger:2.40
google-oauth-plugin:1.0.3
kubernetes-cli:1.10.0
jenkins-design-language:1.24.4
groovy:2.3
plugin-util-api:2.0.0
cloudbees-folder:6.15
blueocean-rest-impl:1.24.4
github-pullrequest:0.2.8
git-prebuildmerge-trait:1.0
extended-read-permission:3.2
workflow-support:3.7
build-metrics:1.3
jackson2-api:2.12.1
ace-editor:1.1
ssh-agent:1.21
pipeline-build-step:2.13
metrics:4.0.2.7
pipeline-input-step:2.12
jdk-tool:1.5
blueocean-web:1.24.4
workflow-cps-global-lib:2.18
resource-disposer:0.15
pam-auth:1.6
blueocean-events:1.24.4
copyartifact:1.46
handlebars:1.1.1
mapdb-api:1.0.9.0
publish-over:0.22
pipeline-rest-api:2.19
git-server:1.9
google-cloud-backup:0.6
external-monitor-job:1.7
git:4.6.0
handy-uri-templates-2-api:2.1.8-1.0
github-branch-source:2.10.2
ant:1.11
pipeline-model-definition:1.8.4
checks-api:1.5.0
blueocean-git-pipeline:1.24.4
github-api:1.123
jquery:1.12.4-1
publish-over-ssh:1.22
command-launcher:1.5
pipeline-multibranch-defaults:2.1
ssh:2.6.1
pipeline-model-extensions:1.8.4
build-name-setter:2.1.0
matrix-project:1.18
lockable-resources:2.10
durable-task:1.35
pipeline-graph-analysis:1.10
aws-credentials:1.28
atlassian-jira-software-cloud:1.3.0
git-client:3.6.0
email-ext:2.82
ghprb:1.42.2
github:1.33.1
kubernetes-client-api:4.13.2-1
blueocean-i18n:1.24.4
timestamper:1.11.8
workflow-multibranch:2.22
backup-interrupt-plugin:1.0
pubsub-light:1.13
ldap:2.4
basic-branch-build-strategies:1.3.2
jjwt-api:0.11.2-9.c8b45b8bb173
pipeline-model-api:1.8.4
popper-api:1.16.1-2
workflow-durable-task-step:2.38
echarts-api:5.0.1-1
credentials:2.3.15
token-macro:2.15
ssh-credentials:1.18.1
workflow-job:2.40
config-file-provider:3.7.0
branch-api:2.6.3
badge:1.8
workflow-api:2.41
workflow-cps:2.90
pipeline-stage-tags-metadata:1.8.4
run-condition:1.5
blueocean-pipeline-api-impl:1.24.4
font-awesome-api:5.15.2-2
variant:1.4
bouncycastle-api:2.18
jira:3.2
github-oauth:0.33
cloudbees-bitbucket-branch-source:2.9.7
aws-java-sdk:1.11.955
kubernetes-credentials:0.8.0
credentials-binding:1.24
structs:1.22
display-url-api:2.3.4
blueocean:1.24.4
swarm:3.24
htmlpublisher:1.25
okhttp-api:3.14.9
bootstrap4-api:4.6.0-2
authentication-tokens:1.4
emailext-template:1.2
blueocean-autofavorite:1.2.4
workflow-step-api:2.23
authorize-project:1.3.0
postbuild-task:1.9
build-pipeline-plugin:1.5.8
trilead-api:1.0.13
build-timeout:1.20
audit-trail:3.8
role-strategy:3.1
blueocean-bitbucket-pipeline:1.24.4
jsch:0.1.55.2
sshd:3.0.3
maven-plugin:3.9
snakeyaml-api:1.27.0
envinject:2.4.0
pipeline-stage-view:2.19
scm-api:2.6.4
postbuildscript:2.11.0
jenkins-multijob-plugin:1.36
docker-workflow:1.26Jenkins: 2.282 OS: Linux (Ubuntu 18.04) - 5.4.0-1038-aws --- google-login:1.6 pipeline-milestone-step:1.3.2 blueocean-github-pipeline:1.24.4 workflow-basic-steps:2.23 favorite:2.3.3 workflow-aggregator:2.6 blueocean-display-url:2.4.1 sse-gateway:1.24 dashboard-view:2.14 blueocean-dashboard:1.24.4 configuration-as-code:1.47 momentjs:1.1.1 workflow-scm-step:2.12 rebuild:1.32 junit:1.48 envinject-api:1.7 global-build-stats:1.5 blueocean-config:1.24.4 docker-commons:1.17 built-on-column:1.1 windows-slaves:1.7 ssh-slaves:1.31.5 apache-httpcomponents-client-4-api:4.5.13-1.0 conditional-buildstep:1.4.1 pipeline-stage-step:2.5 jaxb:2.3.0.1 blueocean-pipeline-scm-api:1.24.4 script-security:1.76 blueocean-rest:1.24.4 blueocean-pipeline-editor:1.24.4 blueocean-jwt:1.24.4 blueocean-commons:1.24.4 pipeline-github-lib:1.0 icon-shim:3.0.0 javadoc:1.6 plain-credentials:1.7 kubernetes:1.29.2 oauth-credentials:0.4 antisamy-markup-formatter:2.1 groovy-postbuild:2.5 git-parameter:0.9.13 saml:1.1.7 jquery3-api:3.5.1-3 blueocean-core-js:1.24.4 throttle-concurrents:2.1 ws-cleanup:0.39 matrix-auth:2.6.5 mailer:1.32.1 slack:2.45 blueocean-personalization:1.24.4 jquery-detached:1.2.1 parameterized-trigger:2.40 google-oauth-plugin:1.0.3 kubernetes-cli:1.10.0 jenkins-design-language:1.24.4 groovy:2.3 plugin-util-api:2.0.0 cloudbees-folder:6.15 blueocean-rest-impl:1.24.4 github-pullrequest:0.2.8 git-prebuildmerge-trait:1.0 extended-read-permission:3.2 workflow-support:3.7 build-metrics:1.3 jackson2-api:2.12.1 ace-editor:1.1 ssh-agent:1.21 pipeline-build-step:2.13 metrics:4.0.2.7 pipeline-input-step:2.12 jdk-tool:1.5 blueocean-web:1.24.4 workflow-cps-global-lib:2.18 resource-disposer:0.15 pam-auth:1.6 blueocean-events:1.24.4 copyartifact:1.46 handlebars:1.1.1 mapdb-api:1.0.9.0 publish-over:0.22 pipeline-rest-api:2.19 git-server:1.9 google-cloud-backup:0.6 external-monitor-job:1.7 git:4.6.0 handy-uri-templates-2-api:2.1.8-1.0 github-branch-source:2.10.2 ant:1.11 pipeline-model-definition:1.8.4 checks-api:1.5.0 blueocean-git-pipeline:1.24.4 github-api:1.123 jquery:1.12.4-1 publish-over-ssh:1.22 command-launcher:1.5 pipeline-multibranch-defaults:2.1 ssh:2.6.1 pipeline-model-extensions:1.8.4 build-name-setter:2.1.0 matrix-project:1.18 lockable-resources:2.10 durable-task:1.35 pipeline-graph-analysis:1.10 aws-credentials:1.28 atlassian-jira-software-cloud:1.3.0 git-client:3.6.0 email-ext:2.82 ghprb:1.42.2 github:1.33.1 kubernetes-client-api:4.13.2-1 blueocean-i18n:1.24.4 timestamper:1.11.8 workflow-multibranch:2.22 backup-interrupt-plugin:1.0 pubsub-light:1.13 ldap:2.4 basic-branch-build-strategies:1.3.2 jjwt-api:0.11.2-9.c8b45b8bb173 pipeline-model-api:1.8.4 popper-api:1.16.1-2 workflow-durable-task-step:2.38 echarts-api:5.0.1-1 credentials:2.3.15 token-macro:2.15 ssh-credentials:1.18.1 workflow-job:2.40 config-file-provider:3.7.0 branch-api:2.6.3 badge:1.8 workflow-api:2.41 workflow-cps:2.90 pipeline-stage-tags-metadata:1.8.4 run-condition:1.5 blueocean-pipeline-api-impl:1.24.4 font-awesome-api:5.15.2-2 variant:1.4 bouncycastle-api:2.18 jira:3.2 github-oauth:0.33 cloudbees-bitbucket-branch-source:2.9.7 aws-java-sdk:1.11.955 kubernetes-credentials:0.8.0 credentials-binding:1.24 structs:1.22 display-url-api:2.3.4 blueocean:1.24.4 swarm:3.24 htmlpublisher:1.25 okhttp-api:3.14.9 bootstrap4-api:4.6.0-2 authentication-tokens:1.4 emailext-template:1.2 blueocean-autofavorite:1.2.4 workflow-step-api:2.23 authorize-project:1.3.0 postbuild-task:1.9 build-pipeline-plugin:1.5.8 trilead-api:1.0.13 build-timeout:1.20 audit-trail:3.8 role-strategy:3.1 blueocean-bitbucket-pipeline:1.24.4 jsch:0.1.55.2 sshd:3.0.3 maven-plugin:3.9 snakeyaml-api:1.27.0 envinject:2.4.0 pipeline-stage-view:2.19 scm-api:2.6.4 postbuildscript:2.11.0 jenkins-multijob-plugin:1.36 docker-workflow:1.26
-
-
saml-2.0.2
Our setup was working fine using saml-plugin 1.1.7 to login using JumpCloud based accounts. Upon upgrading the plugin to 2.0.0 and restarting the jenkins service, every attempt at login was met with:
You are now logged out of Jenkins, however this has not logged you out of SAML.
Have a nice day
Tried:
- Clearing browser cache
- Using FF & Chrome
- Using private browsing windows of each browser
- Restarting jenkins service & server
These were the only new SAML related logs that showed up when trying to login.
2021-03-03 22:59:47.828+0000 [id=18] SEVERE o.p.s.s.i.SAML2AuthnResponseValidator#validateSamlSSOResponse: Current assertion validation failed, continue with the next one 2021-03-03 22:59:47.837+0000 [id=17] SEVERE o.p.s.s.i.SAML2AuthnResponseValidator#validateSamlSSOResponse: Current assertion validation failed, continue with the next one 2021-03-03 22:59:47.848+0000 [id=17] WARNING o.j.p.saml.SamlSecurityRealm#doFinishLogin: Unable to validate the SAML Response: Assertion must be explicitly signed; nested exception is org.pac4j.saml.exceptions.SAMLSignatureRequiredException: Assertion must be explicitly signed 2021-03-03 22:59:47.848+0000 [id=18] WARNING o.j.p.saml.SamlSecurityRealm#doFinishLogin: Unable to validate the SAML Response: Assertion must be explicitly signed; nested exception is org.pac4j.saml.exceptions.SAMLSignatureRequiredException: Assertion must be explicitly signed 2021-03-03 22:59:48.184+0000 [id=16] INFO o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Blacklisted Algorithms 2021-03-03 22:59:48.185+0000 [id=16] INFO o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Signature Algorithms 2021-03-03 22:59:48.185+0000 [id=16] INFO o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Signature Reference Digest Methods 2021-03-03 22:59:48.185+0000 [id=16] INFO o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Canonicalization Algorithm
We ended up:
- Disabling security & restarting Jenkins service.
- Downgrading the saml-plugin back to 1.1.7
- Re-adding the SAML auth info.
- Re-enabling matrix based security.
Let me know if I can provide more information or log data to help sort this out.
