Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-65039

Login failures after upgrading saml-plugin from 1.1.7 to 2.0.0

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • saml-plugin
    • saml-2.0.2

      Our setup was working fine using saml-plugin 1.1.7 to login using JumpCloud based accounts.  Upon upgrading the plugin to 2.0.0 and restarting the jenkins service, every attempt at login was met with:

      You are now logged out of Jenkins, however this has not logged you out of SAML.

Have a nice day

      Tried:

      • Clearing browser cache
      • Using FF & Chrome
      • Using private browsing windows of each browser
      • Restarting jenkins service & server

       

      These were the only new SAML related logs that showed up when trying to login.

      2021-03-03 22:59:47.828+0000 [id=18]    SEVERE  o.p.s.s.i.SAML2AuthnResponseValidator#validateSamlSSOResponse: Current assertion validation failed, continue with the next one
2021-03-03 22:59:47.837+0000 [id=17]    SEVERE  o.p.s.s.i.SAML2AuthnResponseValidator#validateSamlSSOResponse: Current assertion validation failed, continue with the next one
2021-03-03 22:59:47.848+0000 [id=17]    WARNING o.j.p.saml.SamlSecurityRealm#doFinishLogin: Unable to validate the SAML Response: Assertion must be explicitly signed; nested exception is org.pac4j.saml.exceptions.SAMLSignatureRequiredException: Assertion must be explicitly signed
2021-03-03 22:59:47.848+0000 [id=18]    WARNING o.j.p.saml.SamlSecurityRealm#doFinishLogin: Unable to validate the SAML Response: Assertion must be explicitly signed; nested exception is org.pac4j.saml.exceptions.SAMLSignatureRequiredException: Assertion must be explicitly signed
2021-03-03 22:59:48.184+0000 [id=16]    INFO    o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Blacklisted Algorithms
2021-03-03 22:59:48.185+0000 [id=16]    INFO    o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Signature Algorithms
2021-03-03 22:59:48.185+0000 [id=16]    INFO    o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Signature Reference Digest Methods
2021-03-03 22:59:48.185+0000 [id=16]    INFO    o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Canonicalization Algorithm

      We ended up:

      1. Disabling security & restarting Jenkins service.
      2. Downgrading the saml-plugin back to 1.1.7
      3. Re-adding the SAML auth info.
      4. Re-enabling matrix based security.

       

      Let me know if I can provide more information or log data to help sort this out.

        1. config.xml
          4 kB
        2. saml-ipd-metadata.xml
          0.9 kB
        3. saml-sp-metadata.xml
          2 kB

          [JENKINS-65039] Login failures after upgrading saml-plugin from 1.1.7 to 2.0.0

          Chad created issue -
          Chad made changes -
          Description Original: Our setup was working fine using saml-plugin 1.1.7 to login using JumpCloud based accounts.  Upon upgrading the plugin to 2.0.0 and restarting the jenkins service, every attempt at login was met with:
          {code:java}
          You are now logged out of Jenkins, however this has not logged you out of SAML.

          Have a nice day{code}
          Tried:
           * Clearing browser cache
           * Using FF & Chrome
           * Using private browsing windows of each browser

           

          These were the only new SAML related logs that showed up when trying to login.
          {code:java}
          2021-03-03 22:59:47.828+0000 [id=18] SEVERE o.p.s.s.i.SAML2AuthnResponseValidator#validateSamlSSOResponse: Current assertion validation failed, continue with the next one
          2021-03-03 22:59:47.837+0000 [id=17] SEVERE o.p.s.s.i.SAML2AuthnResponseValidator#validateSamlSSOResponse: Current assertion validation failed, continue with the next one
          2021-03-03 22:59:47.848+0000 [id=17] WARNING o.j.p.saml.SamlSecurityRealm#doFinishLogin: Unable to validate the SAML Response: Assertion must be explicitly signed; nested exception is org.pac4j.saml.exceptions.SAMLSignatureRequiredException: Assertion must be explicitly signed
          2021-03-03 22:59:47.848+0000 [id=18] WARNING o.j.p.saml.SamlSecurityRealm#doFinishLogin: Unable to validate the SAML Response: Assertion must be explicitly signed; nested exception is org.pac4j.saml.exceptions.SAMLSignatureRequiredException: Assertion must be explicitly signed
          2021-03-03 22:59:48.184+0000 [id=16] INFO o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Blacklisted Algorithms
          2021-03-03 22:59:48.185+0000 [id=16] INFO o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Signature Algorithms
          2021-03-03 22:59:48.185+0000 [id=16] INFO o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Signature Reference Digest Methods
          2021-03-03 22:59:48.185+0000 [id=16] INFO o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Canonicalization Algorithm
          {code}
          We ended up:
           # Disabling security & restarting Jenkins service.
           # Downgrading the saml-plugin back to 1.1.7
           # Re-adding the SAML auth info.
           # Re-enabling matrix based security.

           

          Let me know if I can provide more information or log data to help sort this out.           		New: Our setup was working fine using saml-plugin 1.1.7 to login using JumpCloud based accounts.  Upon upgrading the plugin to 2.0.0 and restarting the jenkins service, every attempt at login was met with:
          {code:java}
          You are now logged out of Jenkins, however this has not logged you out of SAML.

          Have a nice day{code}
          Tried:
           * Clearing browser cache
           * Using FF & Chrome
           * Using private browsing windows of each browser
           * Restarting jenkins service & server

           

          These were the only new SAML related logs that showed up when trying to login.
          {code:java}
          2021-03-03 22:59:47.828+0000 [id=18] SEVERE o.p.s.s.i.SAML2AuthnResponseValidator#validateSamlSSOResponse: Current assertion validation failed, continue with the next one
          2021-03-03 22:59:47.837+0000 [id=17] SEVERE o.p.s.s.i.SAML2AuthnResponseValidator#validateSamlSSOResponse: Current assertion validation failed, continue with the next one
          2021-03-03 22:59:47.848+0000 [id=17] WARNING o.j.p.saml.SamlSecurityRealm#doFinishLogin: Unable to validate the SAML Response: Assertion must be explicitly signed; nested exception is org.pac4j.saml.exceptions.SAMLSignatureRequiredException: Assertion must be explicitly signed
          2021-03-03 22:59:47.848+0000 [id=18] WARNING o.j.p.saml.SamlSecurityRealm#doFinishLogin: Unable to validate the SAML Response: Assertion must be explicitly signed; nested exception is org.pac4j.saml.exceptions.SAMLSignatureRequiredException: Assertion must be explicitly signed
          2021-03-03 22:59:48.184+0000 [id=16] INFO o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Blacklisted Algorithms
          2021-03-03 22:59:48.185+0000 [id=16] INFO o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Signature Algorithms
          2021-03-03 22:59:48.185+0000 [id=16] INFO o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Signature Reference Digest Methods
          2021-03-03 22:59:48.185+0000 [id=16] INFO o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Canonicalization Algorithm
          {code}
          We ended up:
           # Disabling security & restarting Jenkins service.
           # Downgrading the saml-plugin back to 1.1.7
           # Re-adding the SAML auth info.
           # Re-enabling matrix based security.

           

          Let me know if I can provide more information or log data to help sort this out.

          Ivan Fernandez Calvo added a comment -

          I think is related to the response signature, but I need more info, Could you attach JENKINS_HOME/saml-ipd-metadata.xml and JENKINS_HOME/saml-sp-metadata.xml? Also the SAML configuration block on the JENKINS_HOME/config.xml. You will have to replace the key in the saml-*-metadata with something, DNS names, IPs, and other sensible info.

          Ivan Fernandez Calvo added a comment - I think is related to the response signature, but I need more info, Could you attach JENKINS_HOME/saml-ipd-metadata.xml and JENKINS_HOME/saml-sp-metadata.xml? Also the SAML configuration block on the JENKINS_HOME/config.xml. You will have to replace the key in the saml-*-metadata with something, DNS names, IPs, and other sensible info.

          Nick added a comment -

          I had the same issue with Idaptive, I moved from manual metadata configuration on idP to /securityRealm/metadata and it started working then.

          Nick added a comment - I had the same issue with Idaptive, I moved from manual metadata configuration on idP to /securityRealm/metadata and it started working then.
          Chad made changes -
          Attachment New: config.xml [ 54185 ]
          Attachment New: saml-ipd-metadata.xml [ 54186 ]
          Attachment New: saml-sp-metadata.xml [ 54187 ]

          Chad added a comment -

          ifernandezcalvo - Thank you for your response. I have attached the files you have requested, sanitized for keys, company and site data. Please let me know if you need anything else.

          Chad added a comment - ifernandezcalvo  - Thank you for your response. I have attached the files you have requested, sanitized for keys, company and site data. Please let me know if you need anything else.
          Ivan Fernandez Calvo made changes -
          Remote Link New: This issue links to "PR (Web Link)" [ 26558 ]

          Ivan Fernandez Calvo added a comment -

          I think is related to this message 

          2021-03-03 22:59:47.848+0000 [id=18]    WARNING o.j.p.saml.SamlSecurityRealm#doFinishLogin: Unable to validate the SAML Response: Assertion must be explicitly signed; nested exception is org.pac4j.saml.exceptions.SAMLSignatureRequiredException: Assertion must be explicitly signed

          , the plugin force to request signed assertions and it is not possible to disable it. I have made a PR to allow disable this assertions signed request, and now is disabled by default.

          Ivan Fernandez Calvo added a comment - I think is related to this message 2021-03-03 22:59:47.848+0000 [id=18] WARNING o.j.p.saml.SamlSecurityRealm#doFinishLogin: Unable to validate the SAML Response: Assertion must be explicitly signed; nested exception is org.pac4j.saml.exceptions.SAMLSignatureRequiredException: Assertion must be explicitly signed , the plugin force to request signed assertions and it is not possible to disable it. I have made a PR to allow disable this assertions signed request, and now is disabled by default.

          Ivan Fernandez Calvo added a comment -

          >I had the same issue with Idaptive, I moved from manual metadata configuration on idP to /securityRealm/metadata and it started working then.

          I will add a reference to this in the troubleshooting many times worth checking it.

          Ivan Fernandez Calvo added a comment - >I had the same issue with Idaptive, I moved from manual metadata configuration on idP to /securityRealm/metadata and it started working then. I will add a reference to this in the troubleshooting many times worth checking it.
          Ivan Fernandez Calvo made changes -
          Remote Link New: This issue links to "PR (Web Link)" [ 26559 ]

            ifernandezcalvo Ivan Fernandez Calvo
            cvogelsong Chad
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: