Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-65039

Login failures after upgrading saml-plugin from 1.1.7 to 2.0.0

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • saml-plugin
    • saml-2.0.2

      Our setup was working fine using saml-plugin 1.1.7 to login using JumpCloud based accounts.  Upon upgrading the plugin to 2.0.0 and restarting the jenkins service, every attempt at login was met with:

      You are now logged out of Jenkins, however this has not logged you out of SAML.

Have a nice day

      Tried:

      • Clearing browser cache
      • Using FF & Chrome
      • Using private browsing windows of each browser
      • Restarting jenkins service & server

       

      These were the only new SAML related logs that showed up when trying to login.

      2021-03-03 22:59:47.828+0000 [id=18]    SEVERE  o.p.s.s.i.SAML2AuthnResponseValidator#validateSamlSSOResponse: Current assertion validation failed, continue with the next one
2021-03-03 22:59:47.837+0000 [id=17]    SEVERE  o.p.s.s.i.SAML2AuthnResponseValidator#validateSamlSSOResponse: Current assertion validation failed, continue with the next one
2021-03-03 22:59:47.848+0000 [id=17]    WARNING o.j.p.saml.SamlSecurityRealm#doFinishLogin: Unable to validate the SAML Response: Assertion must be explicitly signed; nested exception is org.pac4j.saml.exceptions.SAMLSignatureRequiredException: Assertion must be explicitly signed
2021-03-03 22:59:47.848+0000 [id=18]    WARNING o.j.p.saml.SamlSecurityRealm#doFinishLogin: Unable to validate the SAML Response: Assertion must be explicitly signed; nested exception is org.pac4j.saml.exceptions.SAMLSignatureRequiredException: Assertion must be explicitly signed
2021-03-03 22:59:48.184+0000 [id=16]    INFO    o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Blacklisted Algorithms
2021-03-03 22:59:48.185+0000 [id=16]    INFO    o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Signature Algorithms
2021-03-03 22:59:48.185+0000 [id=16]    INFO    o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Signature Reference Digest Methods
2021-03-03 22:59:48.185+0000 [id=16]    INFO    o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Canonicalization Algorithm

      We ended up:

      1. Disabling security & restarting Jenkins service.
      2. Downgrading the saml-plugin back to 1.1.7
      3. Re-adding the SAML auth info.
      4. Re-enabling matrix based security.

       

      Let me know if I can provide more information or log data to help sort this out.

        1. config.xml
          4 kB
        2. saml-ipd-metadata.xml
          0.9 kB
        3. saml-sp-metadata.xml
          2 kB

          [JENKINS-65039] Login failures after upgrading saml-plugin from 1.1.7 to 2.0.0

          Chad created issue -
          Chad made changes -
          Description Original: Our setup was working fine using saml-plugin 1.1.7 to login using JumpCloud based accounts.  Upon upgrading the plugin to 2.0.0 and restarting the jenkins service, every attempt at login was met with:
          {code:java}
          You are now logged out of Jenkins, however this has not logged you out of SAML.

          Have a nice day{code}
          Tried:
           * Clearing browser cache
           * Using FF & Chrome
           * Using private browsing windows of each browser

           

          These were the only new SAML related logs that showed up when trying to login.
          {code:java}
          2021-03-03 22:59:47.828+0000 [id=18] SEVERE o.p.s.s.i.SAML2AuthnResponseValidator#validateSamlSSOResponse: Current assertion validation failed, continue with the next one
          2021-03-03 22:59:47.837+0000 [id=17] SEVERE o.p.s.s.i.SAML2AuthnResponseValidator#validateSamlSSOResponse: Current assertion validation failed, continue with the next one
          2021-03-03 22:59:47.848+0000 [id=17] WARNING o.j.p.saml.SamlSecurityRealm#doFinishLogin: Unable to validate the SAML Response: Assertion must be explicitly signed; nested exception is org.pac4j.saml.exceptions.SAMLSignatureRequiredException: Assertion must be explicitly signed
          2021-03-03 22:59:47.848+0000 [id=18] WARNING o.j.p.saml.SamlSecurityRealm#doFinishLogin: Unable to validate the SAML Response: Assertion must be explicitly signed; nested exception is org.pac4j.saml.exceptions.SAMLSignatureRequiredException: Assertion must be explicitly signed
          2021-03-03 22:59:48.184+0000 [id=16] INFO o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Blacklisted Algorithms
          2021-03-03 22:59:48.185+0000 [id=16] INFO o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Signature Algorithms
          2021-03-03 22:59:48.185+0000 [id=16] INFO o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Signature Reference Digest Methods
          2021-03-03 22:59:48.185+0000 [id=16] INFO o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Canonicalization Algorithm
          {code}
          We ended up:
           # Disabling security & restarting Jenkins service.
           # Downgrading the saml-plugin back to 1.1.7
           # Re-adding the SAML auth info.
           # Re-enabling matrix based security.

           

          Let me know if I can provide more information or log data to help sort this out.           		New: Our setup was working fine using saml-plugin 1.1.7 to login using JumpCloud based accounts.  Upon upgrading the plugin to 2.0.0 and restarting the jenkins service, every attempt at login was met with:
          {code:java}
          You are now logged out of Jenkins, however this has not logged you out of SAML.

          Have a nice day{code}
          Tried:
           * Clearing browser cache
           * Using FF & Chrome
           * Using private browsing windows of each browser
           * Restarting jenkins service & server

           

          These were the only new SAML related logs that showed up when trying to login.
          {code:java}
          2021-03-03 22:59:47.828+0000 [id=18] SEVERE o.p.s.s.i.SAML2AuthnResponseValidator#validateSamlSSOResponse: Current assertion validation failed, continue with the next one
          2021-03-03 22:59:47.837+0000 [id=17] SEVERE o.p.s.s.i.SAML2AuthnResponseValidator#validateSamlSSOResponse: Current assertion validation failed, continue with the next one
          2021-03-03 22:59:47.848+0000 [id=17] WARNING o.j.p.saml.SamlSecurityRealm#doFinishLogin: Unable to validate the SAML Response: Assertion must be explicitly signed; nested exception is org.pac4j.saml.exceptions.SAMLSignatureRequiredException: Assertion must be explicitly signed
          2021-03-03 22:59:47.848+0000 [id=18] WARNING o.j.p.saml.SamlSecurityRealm#doFinishLogin: Unable to validate the SAML Response: Assertion must be explicitly signed; nested exception is org.pac4j.saml.exceptions.SAMLSignatureRequiredException: Assertion must be explicitly signed
          2021-03-03 22:59:48.184+0000 [id=16] INFO o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Blacklisted Algorithms
          2021-03-03 22:59:48.185+0000 [id=16] INFO o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Signature Algorithms
          2021-03-03 22:59:48.185+0000 [id=16] INFO o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Signature Reference Digest Methods
          2021-03-03 22:59:48.185+0000 [id=16] INFO o.p.s.config.SAML2Configuration#initSignatureSigningConfiguration: Bootstrapped Canonicalization Algorithm
          {code}
          We ended up:
           # Disabling security & restarting Jenkins service.
           # Downgrading the saml-plugin back to 1.1.7
           # Re-adding the SAML auth info.
           # Re-enabling matrix based security.

           

          Let me know if I can provide more information or log data to help sort this out.
          Chad made changes -
          Attachment New: config.xml [ 54185 ]
          Attachment New: saml-ipd-metadata.xml [ 54186 ]
          Attachment New: saml-sp-metadata.xml [ 54187 ]
          Ivan Fernandez Calvo made changes -
          Remote Link New: This issue links to "PR (Web Link)" [ 26558 ]
          Ivan Fernandez Calvo made changes -
          Remote Link New: This issue links to "PR (Web Link)" [ 26559 ]
          Matt Jamison made changes -
          Comment [ I'm seeing the same issue.  I just tried the latest plugin version, but still see the same issue after the SAML login completes.  In the logs I see "org.pac4j.saml.exceptions.SAMLSignatureRequiredException: Assertion must be explicitly signed", which leads me to believe previous versions didn't require the actual assertion within the SAML response to be signed, but now it is required?  I'm working with my IT folks to enable signing of the assertion as well, but it'd be nice if this were an optional verification, if this is the issue. ]
          Ivan Fernandez Calvo made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Ivan Fernandez Calvo made changes -
          Released As New: saml-2.0.2
          Resolution New: Fixed [ 1 ]
          Status Original: In Progress [ 3 ] New: Resolved [ 5 ]
          Chad made changes -
          Comment [ I can confirm that the 2.0.2 version solved the original SAML issue that we reported.  Thank you for fixing this so quickly! ]
          Chad made changes -
          Status Original: Resolved [ 5 ] New: Closed [ 6 ]

            ifernandezcalvo Ivan Fernandez Calvo
            cvogelsong Chad
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: