-
Bug
-
Resolution: Won't Fix
-
Minor
I'm currently working on integrating SAML 2.0 authentication with Jenkins, and I've encountered a challenge regarding the parsing of group attributes received in the SAML response. Here's a detailed overview of the situation and the specific problem I'm facing.
Setup:
- Successfully implemented SAML 2.0 authentication in Jenkins.
- Upon authentication, user attributes such as first name, last name, email, and groups are retrieved from the SAML response.
- The group attribute is formatted as a single string where multiple groups are concatenated and separated by " ^ ", like this "CN=Adgroup1,ou=groups,dc=example,dc=net^CN=Adgroup2,ou=groups,dc=example,dc=net^CN=Adgroup3,ou=groups,dc=example,dc=net"
Issue Description:
- I'm using the Project-Based Matrix Authorization Strategy in Jenkins to control access to specific jobs based on users' group memberships.
- However, Jenkins is treating the entire group string as a single group during authorization checks.
- The desired behavior is for Jenkins to parse and recognize individual groups (e.g., adgroup1, adgroup2, adgroup3) from the group attribute string.
Constraints and Considerations:
- Changes cannot be made to the SAML response format as it complies with standards and is managed by the Identity Provider (IDP).
- The SAML response structure for the group attribute is as follows:
<ns2:Attribute Name="Groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> ns2:AttributeValueCN=Adgroup1,ou=groups,dc=example,dc=net^CN=Adgroup2,ou=groups,dc=example,dc=net^CN=Adgroup3,ou=groups,dc=example,dc=net</ns2:AttributeValue> </ns2:Attribute>
How can I configure Jenkins or modify the Project-Based Matrix Authorization Strategy to correctly parse and distinguish individual groups from the SAML group attribute string? I need a solution that accommodates the CN, ou, and dc details present in the group attribute format without modifying the SAML response itself. Any insights, suggestions, or specific configurations would be greatly appreciated. Thank you!
[JENKINS-73009] SAML Group Attribute in Jenkins for Project-Based Matrix Authorization is not working as expected
Hi ifernandezcalvo , is there any way to handle this at jenkins end, like parsing the saml group attribute response in jenkins. can we do that? can you please help
No, I rejected the idea a long time ago. The reason is that every company that does not send groups as it should could implement any kind of pattern in that group. It is not standard, and we will end up with a mess of code to manage 20 ways to send nonstandard groups with 20 ways to fail. So, I am not interested in supporting a nonstandard way to pass groups, and I will not maintain (accept) any code that makes that stuff.
There is no reason to not configure your IdP to use the standard way to send groups.
Hi Ivan Fernandez Calvo, can you please provide the standard sample SAML AD groups responses, how it should come to jenkins, so that jenkins will be able to identify them as individually groups and we can use them in project-based matrix authorization strategy for authorization purpose, we can ask IDP team to send the response accordingly please
The list of Groups are inside a <saml:Attribute> and each group is in a <saml:AttributeValue>
<!-- Authorization Groups -->
<ns2:AttributeStatement>
<ns2:Attribute name="groups">
<ns2:AttributeValue>groupOne</ns2:AttributeValue>
<ns2:AttributeValue>groupTwo</ns2:AttributeValue>
<ns2:AttributeValue>groupThree</ns2:AttributeValue>
</ns2:Attribute>
</ns2:AttributeStatement>
https://en.wikipedia.org/wiki/SAML_2.0
https://github.com/jenkinsci/saml-plugin/blob/main/doc/TROUBLESHOOTING.md#samlresponse
This is not standard. The groups field in SAML has its own field in the SAML response; it is a list of groups. Any other implementation is not standard and is not supported. There is no intention of implementing weird behaviors.