Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-65039

Login failures after upgrading saml-plugin from 1.1.7 to 2.0.0

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • saml-plugin
    • saml-2.0.2

      Our setup was working fine using saml-plugin 1.1.7 to login using JumpCloud based accounts.  Upon upgrading the plugin to 2.0.0 and restarting the jenkins service, every attempt at login was met with:

      You are now logged out of Jenkins, however this has not logged you out of SAML.
      
      Have a nice day

      Tried:

      • Clearing browser cache
      • Using FF & Chrome
      • Using private browsing windows of each browser
      • Restarting jenkins service & server

       

      These were the only new SAML related logs that showed up when trying to login.

      2021-03-03 22:59:47.828+0000 [id=18]    SEVERE  o.p.s.s.i.SAML2AuthnResponseValidator#validateSamlSSOResponse: Current assertion validation failed, continue with the next one
      2021-03-03 22:59:47.837+0000 [id=17]    SEVERE  o.p.s.s.i.SAML2AuthnResponseValidator#validateSamlSSOResponse: Current assertion validation failed, continue with the next one
      2021-03-03 22:59:47.848+0000 [id=17]    WARNING o.j.p.saml.SamlSecurityRealm#doFinishLogin: Unable to validate the SAML Response: Assertion must be explicitly signed; nested exception is org.pac4j.saml.exceptions.SAMLSignatureRequiredException: Assertion must be explicitly signed
      2021-03-03 22:59:47.848+0000 [id=18]    WARNING o.j.p.saml.SamlSecurityRealm#doFinishLogin: Unable to validate the SAML Response: Assertion must be explicitly signed; nested exception is org.pac4j.saml.exceptions.SAMLSignatureRequiredException: Assertion must be explicitly signed
      2021-03-03 22:59:48.184+0000 [id=16]    INFO    o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Blacklisted Algorithms
      2021-03-03 22:59:48.185+0000 [id=16]    INFO    o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Signature Algorithms
      2021-03-03 22:59:48.185+0000 [id=16]    INFO    o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Signature Reference Digest Methods
      2021-03-03 22:59:48.185+0000 [id=16]    INFO    o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Canonicalization Algorithm
      

      We ended up:

      1. Disabling security & restarting Jenkins service.
      2. Downgrading the saml-plugin back to 1.1.7
      3. Re-adding the SAML auth info.
      4. Re-enabling matrix based security.

       

      Let me know if I can provide more information or log data to help sort this out.

        1. config.xml
          4 kB
        2. saml-ipd-metadata.xml
          0.9 kB
        3. saml-sp-metadata.xml
          2 kB

          [JENKINS-65039] Login failures after upgrading saml-plugin from 1.1.7 to 2.0.0

          I think is related to the response signature, but I need more info, Could you attach JENKINS_HOME/saml-ipd-metadata.xml and JENKINS_HOME/saml-sp-metadata.xml? Also the SAML configuration block on the JENKINS_HOME/config.xml. You will have to replace the key in the saml-*-metadata with something, DNS names, IPs, and other sensible info.

          Ivan Fernandez Calvo added a comment - I think is related to the response signature, but I need more info, Could you attach JENKINS_HOME/saml-ipd-metadata.xml and JENKINS_HOME/saml-sp-metadata.xml? Also the SAML configuration block on the JENKINS_HOME/config.xml. You will have to replace the key in the saml-*-metadata with something, DNS names, IPs, and other sensible info.

          Nick added a comment -

          I had the same issue with Idaptive, I moved from manual metadata configuration on idP to /securityRealm/metadata and it started working then.

          Nick added a comment - I had the same issue with Idaptive, I moved from manual metadata configuration on idP to /securityRealm/metadata and it started working then.

          Chad added a comment -

          ifernandezcalvo - Thank you for your response. I have attached the files you have requested, sanitized for keys, company and site data. Please let me know if you need anything else.

          Chad added a comment - ifernandezcalvo  - Thank you for your response. I have attached the files you have requested, sanitized for keys, company and site data. Please let me know if you need anything else.

          I think is related to this message

          2021-03-03 22:59:47.848+0000 [id=18]    WARNING o.j.p.saml.SamlSecurityRealm#doFinishLogin: Unable to validate the SAML Response: Assertion must be explicitly signed; nested exception is org.pac4j.saml.exceptions.SAMLSignatureRequiredException: Assertion must be explicitly signed

          , the plugin force to request signed assertions and it is not possible to disable it. I have made a PR to allow disable this assertions signed request, and now is disabled by default.

          Ivan Fernandez Calvo added a comment - I think is related to this message 2021-03-03 22:59:47.848+0000 [id=18] WARNING o.j.p.saml.SamlSecurityRealm#doFinishLogin: Unable to validate the SAML Response: Assertion must be explicitly signed; nested exception is org.pac4j.saml.exceptions.SAMLSignatureRequiredException: Assertion must be explicitly signed , the plugin force to request signed assertions and it is not possible to disable it. I have made a PR to allow disable this assertions signed request, and now is disabled by default.

          >I had the same issue with Idaptive, I moved from manual metadata configuration on idP to /securityRealm/metadata and it started working then.

          I will add a reference to this in the troubleshooting many times worth checking it.

          Ivan Fernandez Calvo added a comment - >I had the same issue with Idaptive, I moved from manual metadata configuration on idP to /securityRealm/metadata and it started working then. I will add a reference to this in the troubleshooting many times worth checking it.

          Ivan Fernandez Calvo added a comment - If you can test the latest incremental of the plugin would be nice https://repo.jenkins-ci.org/incrementals/org/jenkins-ci/plugins/saml/2.0.2-rc226.bb8b1dab3fa3/saml-2.0.2-rc226.bb8b1dab3fa3.hpi

          Garrick added a comment -

          I ran into this same issue and tested with the 2.02 incremental build and successfully SSO'd

          Garrick added a comment - I ran into this same issue and tested with the 2.02 incremental build and successfully SSO'd

          Matt Jamison added a comment -

          The 2.0.2 version resolved this issue for me as well.  Thanks!

          Matt Jamison added a comment - The 2.0.2 version resolved this issue for me as well.  Thanks!

          Chad added a comment -

          I can confirm that the 2.0.2 version solved the original SAML issue that we reported.  Thank you for fixing this so quickly!

          Chad added a comment - I can confirm that the 2.0.2 version solved the original SAML issue that we reported.  Thank you for fixing this so quickly!

            ifernandezcalvo Ivan Fernandez Calvo
            cvogelsong Chad
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: