-
Improvement
-
Resolution: Fixed
-
Minor
-
None
-
-
saml-2.0.7
In some situation where the SAML assertion response for user profile returns empty groups such as
<ns2:Attribute Name="Group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <ns2:AttributeValue>group1</ns2:AttributeValue> <ns2:AttributeValue>group2</ns2:AttributeValue> <ns2:AttributeValue>group3</ns2:AttributeValue> <ns2:AttributeValue>group4</ns2:AttributeValue> <ns2:AttributeValue>group5</ns2:AttributeValue> <ns2:AttributeValue>group6</ns2:AttributeValue> <ns2:AttributeValue/> <ns2:AttributeValue/> <ns2:AttributeValue/> <ns2:AttributeValue/> <ns2:AttributeValue/> <ns2:AttributeValue>group7</ns2:AttributeValue> </ns2:Attribute>
With Jenkins before 2.277 and saml plugin 1.1.5, this works, but with 2.277 or later and saml plugin 1.1.7, it breaks with a stacktrace such as
java.lang.IllegalArgumentException: A granted authority textual representation is required at org.springframework.util.Assert.hasText(Assert.java:289) at org.springframework.security.core.authority.SimpleGrantedAuthority.<init>(SimpleGrantedAuthority.java:39) at jenkins.security.LastGrantedAuthoritiesProperty.getAuthorities2(LastGrantedAuthoritiesProperty.java:69) at jenkins.security.LastGrantedAuthoritiesProperty.getAuthorities(LastGrantedAuthoritiesProperty.java:81) at org.jenkinsci.plugins.saml.SamlUserDetailsService.loadUserByUsername(SamlUserDetailsService.java:61) at org.jenkinsci.plugins.saml.SamlUserDetailsService.loadUserByUsername(SamlUserDetailsService.java:39) at org.acegisecurity.userdetails.UserDetailsService.lambda$toSpring$1(UserDetailsService.java:52)
I'm assuming the switch to Spring security has added validation for empty authorities.
The saml plugin should detect such configuration, filter out blank values and issue a warning so that the user can correct the saml backend configuration.
- links to