Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-66007

SAML profiles with empty groups are preventing authorities to be tied to Jenkins users

    XMLWordPrintable

Details

    • Improvement
    • Status: Resolved (View Workflow)
    • Minor
    • Resolution: Fixed
    • saml-plugin
    • None
    • saml-2.0.7

    Description

      In some situation where the SAML assertion response for user profile returns empty groups such as 

      <ns2:Attribute Name="Group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <ns2:AttributeValue>group1</ns2:AttributeValue>
        <ns2:AttributeValue>group2</ns2:AttributeValue>
        <ns2:AttributeValue>group3</ns2:AttributeValue>
        <ns2:AttributeValue>group4</ns2:AttributeValue>
        <ns2:AttributeValue>group5</ns2:AttributeValue>
        <ns2:AttributeValue>group6</ns2:AttributeValue>
        <ns2:AttributeValue/>
        <ns2:AttributeValue/>
        <ns2:AttributeValue/>
        <ns2:AttributeValue/>
        <ns2:AttributeValue/>
        <ns2:AttributeValue>group7</ns2:AttributeValue>
</ns2:Attribute>

      With Jenkins before 2.277 and saml plugin 1.1.5, this works, but with 2.277 or later and saml plugin 1.1.7, it breaks with a stacktrace such as 

      java.lang.IllegalArgumentException: A granted authority textual representation is required
	at org.springframework.util.Assert.hasText(Assert.java:289)
	at org.springframework.security.core.authority.SimpleGrantedAuthority.<init>(SimpleGrantedAuthority.java:39)
	at jenkins.security.LastGrantedAuthoritiesProperty.getAuthorities2(LastGrantedAuthoritiesProperty.java:69)
	at jenkins.security.LastGrantedAuthoritiesProperty.getAuthorities(LastGrantedAuthoritiesProperty.java:81)
	at org.jenkinsci.plugins.saml.SamlUserDetailsService.loadUserByUsername(SamlUserDetailsService.java:61)
	at org.jenkinsci.plugins.saml.SamlUserDetailsService.loadUserByUsername(SamlUserDetailsService.java:39)
	at org.acegisecurity.userdetails.UserDetailsService.lambda$toSpring$1(UserDetailsService.java:52)

      I'm assuming the switch to Spring security has added validation for empty authorities.

      The saml plugin should detect such configuration, filter out blank values and issue a warning so that the user can correct the saml backend configuration.

      Attachments

        Issue Links

          links to

          Web Link saml #109

          Activity

            ifernandezcalvo Ivan Fernandez Calvo added a comment -

            I'd said that worth filing an issue on the IdP software that sends that SAMLResponse it is wrong, it does not make sense to send empty values.

            ifernandezcalvo Ivan Fernandez Calvo added a comment - I'd said that worth filing an issue on the IdP software that sends that SAMLResponse it is wrong, it does not make sense to send empty values.

            People

              vlatombe Vincent Latombe
              vlatombe Vincent Latombe
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: