Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-66007

SAML profiles with empty groups are preventing authorities to be tied to Jenkins users

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Fixed
    • Minor
    • saml-plugin
    • None
    • saml-2.0.7

    Description

      In some situation where the SAML assertion response for user profile returns empty groups such as

      <ns2:Attribute Name="Group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
              <ns2:AttributeValue>group1</ns2:AttributeValue>
              <ns2:AttributeValue>group2</ns2:AttributeValue>
              <ns2:AttributeValue>group3</ns2:AttributeValue>
              <ns2:AttributeValue>group4</ns2:AttributeValue>
              <ns2:AttributeValue>group5</ns2:AttributeValue>
              <ns2:AttributeValue>group6</ns2:AttributeValue>
              <ns2:AttributeValue/>
              <ns2:AttributeValue/>
              <ns2:AttributeValue/>
              <ns2:AttributeValue/>
              <ns2:AttributeValue/>
              <ns2:AttributeValue>group7</ns2:AttributeValue>
      </ns2:Attribute>
      

      With Jenkins before 2.277 and saml plugin 1.1.5, this works, but with 2.277 or later and saml plugin 1.1.7, it breaks with a stacktrace such as

      java.lang.IllegalArgumentException: A granted authority textual representation is required
      	at org.springframework.util.Assert.hasText(Assert.java:289)
      	at org.springframework.security.core.authority.SimpleGrantedAuthority.<init>(SimpleGrantedAuthority.java:39)
      	at jenkins.security.LastGrantedAuthoritiesProperty.getAuthorities2(LastGrantedAuthoritiesProperty.java:69)
      	at jenkins.security.LastGrantedAuthoritiesProperty.getAuthorities(LastGrantedAuthoritiesProperty.java:81)
      	at org.jenkinsci.plugins.saml.SamlUserDetailsService.loadUserByUsername(SamlUserDetailsService.java:61)
      	at org.jenkinsci.plugins.saml.SamlUserDetailsService.loadUserByUsername(SamlUserDetailsService.java:39)
      	at org.acegisecurity.userdetails.UserDetailsService.lambda$toSpring$1(UserDetailsService.java:52)
      

      I'm assuming the switch to Spring security has added validation for empty authorities.

      The saml plugin should detect such configuration, filter out blank values and issue a warning so that the user can correct the saml backend configuration.

      Attachments

        Issue Links

          Activity

            People

              vlatombe Vincent Latombe
              vlatombe Vincent Latombe
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: