Search

AdvancedBasic
Order by
  1. New Feature
    JENKINS-73778Need session timeout integrated with mini orange saml plugin
  2. New Feature
    JENKINS-73291Maximum refresh token lifetime in AzureAD is not 14 days
  3. Bug
    JENKINS-73009SAML Group Attribute in Jenkins for Project-Based Matrix Authorization is not working as expected
  4. Bug
    JENKINS-72946Possible thread leak from saml plugin
  5. Bug
    JENKINS-69840Maximum Authentication Lifetime: Login -> Logout loop
  6. Bug
    JENKINS-65093Getting "java.lang.String cannot be cast to java.util.List" after upgrading to saml-plugin 2.0.0
  7. Bug
    JENKINS-63376Casc plugin racing condition configuring a proxy
  8. Bug
    JENKINS-63345Jenkins SAML SLO fails due to CSRF
  9. Story
    JENKINS-62762Cannot login to jenkins after installing SAML plug-in
  10. Bug
    JENKINS-58809CLI and API call do not work with SAML Realm
  11. Improvement
    JENKINS-54446support bitbucket non saml url
  12. Improvement
    JENKINS-54247Add to TROUBLESHOOTING how to backup/restore current keys
  13. Bug
    JENKINS-52201Connection to Identity Provider fails because ID not sent
  14. Bug
    JENKINS-50749SAMLException: No valid subject assertion found in response (Azure)
  15. Bug
    JENKINS-50367SAMLException: Identity provider has no single sign on service available for the selected
  16. Bug
    JENKINS-50016Contents of saml-sp-metadata.xml changes whenever jenkins service is restarted locking users out
  17. Bug
    JENKINS-49148Upgrade from 2.89.2 to 2.89.3 and received SAML errors during boot up.
  18. Bug
    JENKINS-48031SAML plugin does not accept xml tag in Idp metadata (azure)
  19. Bug
    JENKINS-48030SAML Azure AD exception
Refresh results
1 of 18
Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-73009

SAML Group Attribute in Jenkins for Project-Based Matrix Authorization is not working as expected

      I'm currently working on integrating SAML 2.0 authentication with Jenkins, and I've encountered a challenge regarding the parsing of group attributes received in the SAML response. Here's a detailed overview of the situation and the specific problem I'm facing.

      Setup:

      • Successfully implemented SAML 2.0 authentication in Jenkins.
      • Upon authentication, user attributes such as first name, last name, email, and groups are retrieved from the SAML response.
      • The group attribute is formatted as a single string where multiple groups are concatenated and separated by " ^ ", like this "CN=Adgroup1,ou=groups,dc=example,dc=net^CN=Adgroup2,ou=groups,dc=example,dc=net^CN=Adgroup3,ou=groups,dc=example,dc=net"

      Issue Description:

      • I'm using the Project-Based Matrix Authorization Strategy in Jenkins to control access to specific jobs based on users' group memberships.
      • However, Jenkins is treating the entire group string as a single group during authorization checks.
      • The desired behavior is for Jenkins to parse and recognize individual groups (e.g., adgroup1, adgroup2, adgroup3) from the group attribute string.

      Constraints and Considerations:

      • Changes cannot be made to the SAML response format as it complies with standards and is managed by the Identity Provider (IDP).
      • The SAML response structure for the group attribute is as follows:

      <ns2:Attribute Name="Groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> ns2:AttributeValueCN=Adgroup1,ou=groups,dc=example,dc=net^CN=Adgroup2,ou=groups,dc=example,dc=net^CN=Adgroup3,ou=groups,dc=example,dc=net</ns2:AttributeValue> </ns2:Attribute>

      How can I configure Jenkins or modify the Project-Based Matrix Authorization Strategy to correctly parse and distinguish individual groups from the SAML group attribute string? I need a solution that accommodates the CN, ou, and dc details present in the group attribute format without modifying the SAML response itself. Any insights, suggestions, or specific configurations would be greatly appreciated. Thank you!

          Ivan Fernandez Calvo added a comment -
          • The group attribute is formatted as a single string where multiple groups are concatenated and separated by " ^ ", like this "CN=Adgroup1,ou=groups,dc=example,dc=net^CN=Adgroup2,ou=groups,dc=example,dc=net^CN=Adgroup3,ou=groups,dc=example,dc=net"

          This is not standard. The groups field in SAML has its own field in the SAML response; it is a list of groups. Any other implementation is not standard and is not supported. There is no intention of implementing weird behaviors.

          Ivan Fernandez Calvo added a comment - The group attribute is formatted as a single string where multiple groups are concatenated and separated by " ^ ", like this "CN=Adgroup1,ou=groups,dc=example,dc=net^CN=Adgroup2,ou=groups,dc=example,dc=net^CN=Adgroup3,ou=groups,dc=example,dc=net" This is not standard. The groups field in SAML has its own field in the SAML response; it is a list of groups. Any other implementation is not standard and is not supported. There is no intention of implementing weird behaviors.

          Nikhil added a comment -

          Hi ifernandezcalvo , is there any way to handle this at jenkins end, like parsing the saml group attribute response in jenkins. can we do that? can you please help

          Nikhil added a comment - Hi ifernandezcalvo , is there any way to handle this at jenkins end, like parsing the saml group attribute response in jenkins. can we do that? can you please help

          Ivan Fernandez Calvo added a comment - - edited

          No, I rejected the idea a long time ago. The reason is that every company that does not send groups as it should could implement any kind of pattern in that group. It is not standard, and we will end up with a mess of code to manage 20 ways to send nonstandard groups with 20 ways to fail. So, I am not interested in supporting a nonstandard way to pass groups, and I will not maintain (accept) any code that makes that stuff. 

          There is no reason to not configure your IdP to use the standard way to send groups.

          Ivan Fernandez Calvo added a comment - - edited No, I rejected the idea a long time ago. The reason is that every company that does not send groups as it should could implement any kind of pattern in that group. It is not standard, and we will end up with a mess of code to manage 20 ways to send nonstandard groups with 20 ways to fail. So, I am not interested in supporting a nonstandard way to pass groups, and I will not maintain (accept) any code that makes that stuff.  There is no reason to not configure your IdP to use the standard way to send groups.

          Nikhil added a comment -

          Hi Ivan Fernandez Calvo, can you please provide the standard sample SAML AD groups responses, how it should come to jenkins, so that jenkins will be able to identify them as individually groups and we can use them in project-based matrix authorization strategy for authorization purpose, we can ask IDP team to send the response accordingly please

          Nikhil added a comment - Hi Ivan Fernandez Calvo, can you please provide the standard sample SAML AD groups responses, how it should come to jenkins, so that jenkins will be able to identify them as individually groups and we can use them in project-based matrix authorization strategy for authorization purpose, we can ask IDP team to send the response accordingly please

          Ivan Fernandez Calvo added a comment -

          The list of Groups are inside a <saml:Attribute>  and each group is in a <saml:AttributeValue>

                  <!-- Authorization Groups -->
        <ns2:AttributeStatement>
            <ns2:Attribute name="groups">
                <ns2:AttributeValue>groupOne</ns2:AttributeValue>
                <ns2:AttributeValue>groupTwo</ns2:AttributeValue>
                <ns2:AttributeValue>groupThree</ns2:AttributeValue>                       
            </ns2:Attribute>
        </ns2:AttributeStatement>

          https://en.wikipedia.org/wiki/SAML_2.0

          https://github.com/jenkinsci/saml-plugin/blob/main/doc/TROUBLESHOOTING.md#samlresponse

          https://groups.oasis-open.org/higherlogic/ws/public/download/56782/sstc-saml-profiles-errata-2.0-wd-07.pdf

          Ivan Fernandez Calvo added a comment - The list of Groups are inside a <saml:Attribute>  and each group is in a <saml:AttributeValue> <!-- Authorization Groups --> <ns2:AttributeStatement> <ns2:Attribute name= "groups" > <ns2:AttributeValue>groupOne</ns2:AttributeValue> <ns2:AttributeValue>groupTwo</ns2:AttributeValue> <ns2:AttributeValue>groupThree</ns2:AttributeValue> </ns2:Attribute> </ns2:AttributeStatement> https://en.wikipedia.org/wiki/SAML_2.0 https://github.com/jenkinsci/saml-plugin/blob/main/doc/TROUBLESHOOTING.md#samlresponse https://groups.oasis-open.org/higherlogic/ws/public/download/56782/sstc-saml-profiles-errata-2.0-wd-07.pdf

            ifernandezcalvo Ivan Fernandez Calvo
            nikhil_raj Nikhil
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: