Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-65039

Login failures after upgrading saml-plugin from 1.1.7 to 2.0.0

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: saml-plugin
    • Labels:
    • Environment:
    • Similar Issues:
    • Released As:
      saml-2.0.2

      Description

      Our setup was working fine using saml-plugin 1.1.7 to login using JumpCloud based accounts.  Upon upgrading the plugin to 2.0.0 and restarting the jenkins service, every attempt at login was met with:

      You are now logged out of Jenkins, however this has not logged you out of SAML.
      
      Have a nice day

      Tried:

      • Clearing browser cache
      • Using FF & Chrome
      • Using private browsing windows of each browser
      • Restarting jenkins service & server

       

      These were the only new SAML related logs that showed up when trying to login.

      2021-03-03 22:59:47.828+0000 [id=18]    SEVERE  o.p.s.s.i.SAML2AuthnResponseValidator#validateSamlSSOResponse: Current assertion validation failed, continue with the next one
      2021-03-03 22:59:47.837+0000 [id=17]    SEVERE  o.p.s.s.i.SAML2AuthnResponseValidator#validateSamlSSOResponse: Current assertion validation failed, continue with the next one
      2021-03-03 22:59:47.848+0000 [id=17]    WARNING o.j.p.saml.SamlSecurityRealm#doFinishLogin: Unable to validate the SAML Response: Assertion must be explicitly signed; nested exception is org.pac4j.saml.exceptions.SAMLSignatureRequiredException: Assertion must be explicitly signed
      2021-03-03 22:59:47.848+0000 [id=18]    WARNING o.j.p.saml.SamlSecurityRealm#doFinishLogin: Unable to validate the SAML Response: Assertion must be explicitly signed; nested exception is org.pac4j.saml.exceptions.SAMLSignatureRequiredException: Assertion must be explicitly signed
      2021-03-03 22:59:48.184+0000 [id=16]    INFO    o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Blacklisted Algorithms
      2021-03-03 22:59:48.185+0000 [id=16]    INFO    o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Signature Algorithms
      2021-03-03 22:59:48.185+0000 [id=16]    INFO    o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Signature Reference Digest Methods
      2021-03-03 22:59:48.185+0000 [id=16]    INFO    o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Canonicalization Algorithm
      

      We ended up:

      1. Disabling security & restarting Jenkins service.
      2. Downgrading the saml-plugin back to 1.1.7
      3. Re-adding the SAML auth info.
      4. Re-enabling matrix based security.

       

      Let me know if I can provide more information or log data to help sort this out.

        Attachments

        1. config.xml
          4 kB
        2. saml-ipd-metadata.xml
          0.9 kB
        3. saml-sp-metadata.xml
          2 kB

          Issue Links

            Activity

            Hide
            ifernandezcalvo Ivan Fernandez Calvo added a comment -

            >I had the same issue with Idaptive, I moved from manual metadata configuration on idP to /securityRealm/metadata and it started working then.

            I will add a reference to this in the troubleshooting many times worth checking it.

            Show
            ifernandezcalvo Ivan Fernandez Calvo added a comment - >I had the same issue with Idaptive, I moved from manual metadata configuration on idP to /securityRealm/metadata and it started working then. I will add a reference to this in the troubleshooting many times worth checking it.
            Show
            ifernandezcalvo Ivan Fernandez Calvo added a comment - If you can test the latest incremental of the plugin would be nice https://repo.jenkins-ci.org/incrementals/org/jenkins-ci/plugins/saml/2.0.2-rc226.bb8b1dab3fa3/saml-2.0.2-rc226.bb8b1dab3fa3.hpi
            Hide
            gtom Garrick added a comment -

            I ran into this same issue and tested with the 2.02 incremental build and successfully SSO'd

            Show
            gtom Garrick added a comment - I ran into this same issue and tested with the 2.02 incremental build and successfully SSO'd
            Hide
            mattjamison Matt Jamison added a comment -

            The 2.0.2 version resolved this issue for me as well.  Thanks!

            Show
            mattjamison Matt Jamison added a comment - The 2.0.2 version resolved this issue for me as well.  Thanks!
            Hide
            cvogelsong Chad added a comment -

            I can confirm that the 2.0.2 version solved the original SAML issue that we reported.  Thank you for fixing this so quickly!

            Show
            cvogelsong Chad added a comment - I can confirm that the 2.0.2 version solved the original SAML issue that we reported.  Thank you for fixing this so quickly!

              People

              Assignee:
              ifernandezcalvo Ivan Fernandez Calvo
              Reporter:
              cvogelsong Chad
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: