Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-66007

SAML profiles with empty groups are preventing authorities to be tied to Jenkins users

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: saml-plugin
    • Labels:
      None
    • Similar Issues:
    • Released As:
      saml-2.0.7

      Description

      In some situation where the SAML assertion response for user profile returns empty groups such as

      <ns2:Attribute Name="Group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
              <ns2:AttributeValue>group1</ns2:AttributeValue>
              <ns2:AttributeValue>group2</ns2:AttributeValue>
              <ns2:AttributeValue>group3</ns2:AttributeValue>
              <ns2:AttributeValue>group4</ns2:AttributeValue>
              <ns2:AttributeValue>group5</ns2:AttributeValue>
              <ns2:AttributeValue>group6</ns2:AttributeValue>
              <ns2:AttributeValue/>
              <ns2:AttributeValue/>
              <ns2:AttributeValue/>
              <ns2:AttributeValue/>
              <ns2:AttributeValue/>
              <ns2:AttributeValue>group7</ns2:AttributeValue>
      </ns2:Attribute>
      

      With Jenkins before 2.277 and saml plugin 1.1.5, this works, but with 2.277 or later and saml plugin 1.1.7, it breaks with a stacktrace such as

      java.lang.IllegalArgumentException: A granted authority textual representation is required
      	at org.springframework.util.Assert.hasText(Assert.java:289)
      	at org.springframework.security.core.authority.SimpleGrantedAuthority.<init>(SimpleGrantedAuthority.java:39)
      	at jenkins.security.LastGrantedAuthoritiesProperty.getAuthorities2(LastGrantedAuthoritiesProperty.java:69)
      	at jenkins.security.LastGrantedAuthoritiesProperty.getAuthorities(LastGrantedAuthoritiesProperty.java:81)
      	at org.jenkinsci.plugins.saml.SamlUserDetailsService.loadUserByUsername(SamlUserDetailsService.java:61)
      	at org.jenkinsci.plugins.saml.SamlUserDetailsService.loadUserByUsername(SamlUserDetailsService.java:39)
      	at org.acegisecurity.userdetails.UserDetailsService.lambda$toSpring$1(UserDetailsService.java:52)
      

      I'm assuming the switch to Spring security has added validation for empty authorities.

      The saml plugin should detect such configuration, filter out blank values and issue a warning so that the user can correct the saml backend configuration.

        Attachments

          Issue Links

            Activity

            vlatombe Vincent Latombe created issue -
            vlatombe Vincent Latombe made changes -
            Field Original Value New Value
            Assignee Ivan Fernandez Calvo [ ifernandezcalvo ] Vincent Latombe [ vlatombe ]
            vlatombe Vincent Latombe made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            vlatombe Vincent Latombe made changes -
            Status In Progress [ 3 ] In Review [ 10005 ]
            vlatombe Vincent Latombe made changes -
            Remote Link This issue links to "saml #109 (Web Link)" [ 26801 ]
            Hide
            ifernandezcalvo Ivan Fernandez Calvo added a comment -

            I'd said that worth filing an issue on the IdP software that sends that SAMLResponse it is wrong, it does not make sense to send empty values.

            Show
            ifernandezcalvo Ivan Fernandez Calvo added a comment - I'd said that worth filing an issue on the IdP software that sends that SAMLResponse it is wrong, it does not make sense to send empty values.
            ifernandezcalvo Ivan Fernandez Calvo made changes -
            Released As saml-2.0.7
            Resolution Fixed [ 1 ]
            Status In Review [ 10005 ] Resolved [ 5 ]

              People

              Assignee:
              vlatombe Vincent Latombe
              Reporter:
              vlatombe Vincent Latombe
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: