Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-66007

SAML profiles with empty groups are preventing authorities to be tied to Jenkins users

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: saml-plugin
    • Labels:
      None
    • Similar Issues:
    • Released As:
      saml-2.0.7

      Description

      In some situation where the SAML assertion response for user profile returns empty groups such as

      <ns2:Attribute Name="Group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
              <ns2:AttributeValue>group1</ns2:AttributeValue>
              <ns2:AttributeValue>group2</ns2:AttributeValue>
              <ns2:AttributeValue>group3</ns2:AttributeValue>
              <ns2:AttributeValue>group4</ns2:AttributeValue>
              <ns2:AttributeValue>group5</ns2:AttributeValue>
              <ns2:AttributeValue>group6</ns2:AttributeValue>
              <ns2:AttributeValue/>
              <ns2:AttributeValue/>
              <ns2:AttributeValue/>
              <ns2:AttributeValue/>
              <ns2:AttributeValue/>
              <ns2:AttributeValue>group7</ns2:AttributeValue>
      </ns2:Attribute>
      

      With Jenkins before 2.277 and saml plugin 1.1.5, this works, but with 2.277 or later and saml plugin 1.1.7, it breaks with a stacktrace such as

      java.lang.IllegalArgumentException: A granted authority textual representation is required
      	at org.springframework.util.Assert.hasText(Assert.java:289)
      	at org.springframework.security.core.authority.SimpleGrantedAuthority.<init>(SimpleGrantedAuthority.java:39)
      	at jenkins.security.LastGrantedAuthoritiesProperty.getAuthorities2(LastGrantedAuthoritiesProperty.java:69)
      	at jenkins.security.LastGrantedAuthoritiesProperty.getAuthorities(LastGrantedAuthoritiesProperty.java:81)
      	at org.jenkinsci.plugins.saml.SamlUserDetailsService.loadUserByUsername(SamlUserDetailsService.java:61)
      	at org.jenkinsci.plugins.saml.SamlUserDetailsService.loadUserByUsername(SamlUserDetailsService.java:39)
      	at org.acegisecurity.userdetails.UserDetailsService.lambda$toSpring$1(UserDetailsService.java:52)
      

      I'm assuming the switch to Spring security has added validation for empty authorities.

      The saml plugin should detect such configuration, filter out blank values and issue a warning so that the user can correct the saml backend configuration.

        Attachments

          Issue Links

            Activity

            vlatombe Vincent Latombe created issue -
            vlatombe Vincent Latombe made changes -
            Field Original Value New Value
            Assignee Ivan Fernandez Calvo [ ifernandezcalvo ] Vincent Latombe [ vlatombe ]
            vlatombe Vincent Latombe made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            vlatombe Vincent Latombe made changes -
            Status In Progress [ 3 ] In Review [ 10005 ]
            vlatombe Vincent Latombe made changes -
            Remote Link This issue links to "saml #109 (Web Link)" [ 26801 ]
            ifernandezcalvo Ivan Fernandez Calvo made changes -
            Released As saml-2.0.7
            Resolution Fixed [ 1 ]
            Status In Review [ 10005 ] Resolved [ 5 ]

              People

              Assignee:
              vlatombe Vincent Latombe
              Reporter:
              vlatombe Vincent Latombe
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: