Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-9035

When using OpenID in SSO mode it should be possible to send a user-specific OpenID URL

    • Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Major Major
    • openid-plugin
    • None

      When using OpenID in SSO mode it should be possible to send a user-specific OpenID URL (instead of a fixed URL from the configuration settings the user could be requested to provide one when logging in).

      We want to use 'OpenID SSO' with a 'Provider URL' directing to our internal OpenID Server (based on Crowd). This OpenID provider does not support one OpenID URL for all users.
      At the Moment it is just possible to associate one user-specific OpenID URL in the Configuration. But with this Configuration only this user can login to Jenkins via OpenID. Other Users get an error from the OpenID-Server:
      "A request has been made to authenticate an OpenID identifier, different from the one you are logged in as. To use a different OpenID, log out and log in as a different user."

          [JENKINS-9035] When using OpenID in SSO mode it should be possible to send a user-specific OpenID URL

          When you say "based on Crowd" is it Crowd or is it not?

          The plugin attempts to first treat the given URL as an OpenID and tries to find an endpoint. Failing that it assumes that the URL given is an endpoint itself.

          Maybe Crowd advertises a different endpoint URL for each user account? If so, maybe you'd just have to specify the proper OpenID endpoint URL that's not tied to a particular user?

          Kohsuke Kawaguchi added a comment - When you say "based on Crowd" is it Crowd or is it not? The plugin attempts to first treat the given URL as an OpenID and tries to find an endpoint. Failing that it assumes that the URL given is an endpoint itself. Maybe Crowd advertises a different endpoint URL for each user account? If so, maybe you'd just have to specify the proper OpenID endpoint URL that's not tied to a particular user?

          Yes it is the Crowd's OpenID authentication server and in this configuration it does not support one OpenID URL for all users.

          I tried to configure the 'OP Endpoint URL' like 'https://<URL-Host>/crowd/services/SecurityServer'
          or 'https://<URL-Host>/crowdopenid/server.openid'. This doesn't work because Jenkins tries to discover this URL:

          Log:
          Mar 10, 2011 11:21:28 AM org.openid4java.discovery.Discovery discover
          INFO: Starting discovery on URL identifier: https://<URL-Host>/crowd/services/SecurityServer
          Mar 10, 2011 11:21:28 AM org.openid4java.discovery.yadis.YadisResolver discover
          INFO: Yadis discovered 0 endpoints from: https://<URL-Host>/crowd/services/SecurityServer
          Mar 10, 2011 11:21:28 AM org.openid4java.discovery.Discovery discover
          INFO: No OpenID service endpoints discovered through Yadis; attempting HTML discovery...
          Mar 10, 2011 11:21:28 AM org.openid4java.util.HttpCache get
          INFO: Returning cached GET response for https://<URL-Host>/crowd/services/SecurityServer
          Mar 10, 2011 11:21:28 AM org.openid4java.discovery.html.HtmlResolver discoverHtml
          INFO: HTML discovery completed on: https://<URL-Host>/crowd/services/SecurityServer
          Mar 10, 2011 11:21:28 AM org.openid4java.discovery.Discovery discover
          INFO: Discovered 0 OpenID endpoints.
          Mar 10, 2011 11:21:28 AM org.openid4java.consumer.ConsumerManager associate
          SEVERE: Association attempt, but no discovey endpoints provided.

          Horst Hermanns added a comment - Yes it is the Crowd's OpenID authentication server and in this configuration it does not support one OpenID URL for all users. I tried to configure the 'OP Endpoint URL' like 'https://<URL-Host>/crowd/services/SecurityServer' or 'https://<URL-Host>/crowdopenid/server.openid'. This doesn't work because Jenkins tries to discover this URL: Log: Mar 10, 2011 11:21:28 AM org.openid4java.discovery.Discovery discover INFO: Starting discovery on URL identifier: https://<URL-Host>/crowd/services/SecurityServer Mar 10, 2011 11:21:28 AM org.openid4java.discovery.yadis.YadisResolver discover INFO: Yadis discovered 0 endpoints from: https://<URL-Host>/crowd/services/SecurityServer Mar 10, 2011 11:21:28 AM org.openid4java.discovery.Discovery discover INFO: No OpenID service endpoints discovered through Yadis; attempting HTML discovery... Mar 10, 2011 11:21:28 AM org.openid4java.util.HttpCache get INFO: Returning cached GET response for https://<URL-Host>/crowd/services/SecurityServer Mar 10, 2011 11:21:28 AM org.openid4java.discovery.html.HtmlResolver discoverHtml INFO: HTML discovery completed on: https://<URL-Host>/crowd/services/SecurityServer Mar 10, 2011 11:21:28 AM org.openid4java.discovery.Discovery discover INFO: Discovered 0 OpenID endpoints. Mar 10, 2011 11:21:28 AM org.openid4java.consumer.ConsumerManager associate SEVERE: Association attempt, but no discovey endpoints provided.

            kohsuke Kohsuke Kawaguchi
            h_hermanns Horst Hermanns
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated: