Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Not A Defect
-
None
Description
Dear,
I am running a new Jenkins LTS installation for our test environment.
Jenkins version : Jenkins 2.361.3
SAML plugin : 2.333.vc81e525974a_c
After SAML configuration on Jenkins application, I'm getting the following error when performing a "log in".
I'm getting properly authenticated to the Azure AD Enterprise Application which redirects me to the following Jenkins page:
"
You are now logged out of Jenkins, however this has not logged you out of SAML.
"
Following the Jenkins troubleshooting page, I've created a Jenkins log recorder that listens on
org.jenkinsci.plugins.saml (FINEST)
org.pac4j (FINE)
The following log events are captured
// code placeholder
Decoded SAML relay state of: https://test-jenkins.eurocontrol.int/securityRealm/finishLogin Nov 30, 2022 12:44:46 PM FINE org.pac4j.saml.transport.Pac4jHTTPPostDecoder doDecodeDecoded SAML message Nov 30, 2022 12:44:46 PM SEVERE org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator validateSamlSSOResponseCurrent assertion validation failed, continue with the next one org.pac4j.saml.exceptions.SAMLSignatureValidationException: Signature is not trusted at org.pac4j.saml.profile.impl.AbstractSAML2ResponseValidator.validateSignature(AbstractSAML2ResponseValidator.java:147) at org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator.validateAssertionSignature(SAML2AuthnResponseValidator.java:616) at org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator.validateAssertion(SAML2AuthnResponseValidator.java:371) at org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator.validateSamlSSOResponse(SAML2AuthnResponseValidator.java:293) at org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator.validate(SAML2AuthnResponseValidator.java:140)
saml-idp-metadata.xml & saml-sp-metadata.xml are properly saved in the home folder of the Jenkins process
What causes this specific issue? Why is the signature not trusted?
Attachments
Activity
to ask questions about how to configure the plugin, please use the proper channels check How to report an issue
The Jenkins JIRA is not a support site. If you need assistance or have general questions, visit us in chat, email one of the mailing lists, or post on the community forum.
SAMLResponse XML:<samlp:Response ID="_86902651-34a7-4bc1-920f-38da425f9a85" Version="2.0" IssueInstant="2022-11-30T12:44:45.187Z" Destination="https://test-jenkins.eurocontrol.int/securityRealm/finishLogin" InResponseTo="_37e7070b9cdb49eb864d8ba5194ef22c59648bd" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/76f33c20-5979-4408-adf7-8b3c4be95e52/</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><Assertion ID="_e97545f3-c9a2-42bf-9e7e-2e3d8a0e1300" IssueInstant="2022-11-30T12:44:45.187Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>https://sts.windows.net/76f33c20-5979-4408-adf7-8b3c4be95e52/</Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><Reference URI="#_e97545f3-c9a2-42bf-9e7e-2e3d8a0e1300"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>sOesF8BKnmHbOtdFXA5+F/LEa+dOn4yER4OageG5T+s=</DigestValue></Reference></SignedInfo><SignatureValue>iERkn3MYTAt8SWCWdiWy4PWRDm/Ah2S8SBGqbgjjOBRMGW3OP2wNfUtssFYfFvyC9kQhfFMsLBhHfCrc0Lkt0zA2AyFDjS3bAyh1XH/wTo0TexxL3HFubpZJP0Vxgz8mLzHXbGFp+AH8RhP0XlBkeXnhQ3/b55/IdxRYVCTunOCMKvXBO1+z1ajzpV3/w50NRFZkNSnVCfiG3Q9p8AL4g8jI2XLewFnffkxGBkZCz6fyZu4eQK4hqcWE03qRJuTot5kBDn1r974LMBp1Qf29Gg5ALeh7KmVYqqxdBy+rUz/smnDhqfLtoKrSfyDQMqu4WZS2bftJB6OFJPc3nvq9+A==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIC8DCCAdigAwIBAgIQcchco1n3NYRI4CyfDIGdATANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMjExMjkxMjM3NTdaFw0yNTExMjkxMjM3NTdaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsCk29tycQxdLdojDp96FQ7owRGPRet/FUEniYmqLq/2TVrNEjjUbeqCJaX5XGotIY28+IFAl3XfTje3cX9OCQP0uzpDyfiRogvIGOrydhZ10L0EM0e3935hmrTlcmD/ada8M/8c0dwrFeJ9QyAzWmPO1Uj5GevQvGPK/XG5MmUftVN3vaHNkz29KqiIxpjj0lB2KSXxrL7B3otXB6VdCXVDkh1RWy5XSoUScFP361P09leow4tdflanzmAfn4pebZWw7tkfB3yikZEBg9+WVjLY5AlKyQn1TUwjlem43760vU4lbclMVEHxphAx2skazDQBPM5y6yrpfvq2f2oxJAQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA39gBbspXUZraR5nWrRvos7EXGDRJOpuWuThy+ALW35kSoi9RnKSSpBaYR0jAk4MzWAc9kGdOfxClM3A9VQtPnOELxKoR+9vvINZ4w3ZcJ+8hyDHWBoiMuH/Xuo1PuDqg7Cz6Zg9J0SihiK1TRpXOhrypzxhz8be2JrMZLiZR8+RnRxXskr+EAfufPup7ctV7bvQ+PLXxfMf2L1eJ1Dv+uyWHYwwJNKihSn3ZlDZCFRCWll7MuQYmlYgNStL4liXQSDsBLvopN3u4/N0J9Jd08WS7fPjHDWM5jUEwYARMhDKSgvyfpa85XPlJKbK7RoJLOyguqT1iPx+CVL5J6EbfA</X509Certificate></X509Data></KeyInfo></Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">jens.bruggeman.ext@eurocontrol.int</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_37e7070b9cdb49eb864d8ba5194ef22c59648bd" NotOnOrAfter="2022-11-30T13:44:45.049Z" Recipient="https://test-jenkins.eurocontrol.int/securityRealm/finishLogin"/></SubjectConfirmation></Subject><Conditions NotBefore="2022-11-30T12:39:45.049Z" NotOnOrAfter="2022-11-30T13:44:45.049Z"><AudienceRestriction><Audience>https://test-jenkins.eurocontrol.int</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid"><AttributeValue>76f33c20-5979-4408-adf7-8b3c4be95e52</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier"><AttributeValue>ef60c273-f429-4100-b826-3153929d104b</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/displayname"><AttributeValue>BRUGGEMAN Jens (EXT)</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider"><AttributeValue>https://sts.windows.net/76f33c20-5979-4408-adf7-8b3c4be95e52/</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences"><AttributeValue>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"><AttributeValue>User</AttributeValue><AttributeValue>nm_common_admins</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"><AttributeValue>Jens (EXT)</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"><AttributeValue>BRUGGEMAN</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><AttributeValue>jens.bruggeman.ext@eurocontrol.int</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"><AttributeValue>jens.bruggeman.ext@eurocontrol.int</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2022-11-30T12:44:44.698Z" SessionIndex="_e97545f3-c9a2-42bf-9e7e-2e3d8a0e1300"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>