Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-19212

Crowd 2 plugin silentlly and confusingly assumes that everyone uses cookie SSO, wants to use SSO, and can use SSO

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Problem: we switch from OpenID auth to Crowd, we set up Crowd2 plugin properly, trying to log in on some hosts with proper credentials doesn't lead to user being logged in, and no messages in the log.

      Analysis:
      Let's start by saying that Authentication REST API and Cookie SSO are two separate, orthogonal things. Also, you usually use only one of them, simply because one is enough. This is commonly known as "Unix way" (though has deeper roots in everyday life). Now you can use them together. But assuming that everyone wants that and silently forcing everyone to use them together is quite different from "can use". So, what do we have with Crowd2? To configure it, one needs to enter REST API credentials, so it's fair to assume that it uses REST API and page https://wiki.jenkins-ci.org/display/JENKINS/Crowd+2+Plugin says: "Is Single-Sign-On (SSO) supported? Yes". So, again, "supported" is quite different from "silently forced with zero diagnostics in case of failure".

      So, how this was diagnosed: after looking at plugin source, it was seen that there're lot of logging, but in the levels not enabled by default. After fiddling with Jenkins to somehow enable it, it became clear, that after authentication and initial login by REST API using code, a user gets immediately logged out by CrowdServletFilter - when cookie is not present, for example, if a host is an another domain than Crowd server.

      So, what's need by many users (as few other similar bugreports show) is to disable this SSO cookie handling, and staying with predictable REST API, as well as updating docs to warn users about issues when using SSO (especially if it stays on by default).

        Attachments

          Issue Links

            Activity

            Hide
            integer Kanstantsin Shautsou added a comment -

            I'm testing, but i have no crowd with SSO. Could you appear on #jenkins?

            Show
            integer Kanstantsin Shautsou added a comment - I'm testing, but i have no crowd with SSO. Could you appear on #jenkins?
            Hide
            ticker Eric TOURNIER added a comment - - edited

            I was facing the same problem (auto-logout) : the use of the latest sources of the plugin (1.6-SNAPSHOT) without using SSO solves it.
            Now we are investigating why there is no SSO cookie.

            Show
            ticker Eric TOURNIER added a comment - - edited I was facing the same problem (auto-logout) : the use of the latest sources of the plugin (1.6-SNAPSHOT) without using SSO solves it. Now we are investigating why there is no SSO cookie.
            Hide
            integer Kanstantsin Shautsou added a comment - - edited

            So you should look on JENKINS-17957.
            In 1.6-SNAPSHOT i added additional changes to be SSO optional. So i suppose it finally resolve this issue.
            I'll test and release plugin after fixing additional issue.
            SSO cookie should exist only when SSO is enabled.

            Show
            integer Kanstantsin Shautsou added a comment - - edited So you should look on JENKINS-17957 . In 1.6-SNAPSHOT i added additional changes to be SSO optional. So i suppose it finally resolve this issue. I'll test and release plugin after fixing additional issue. SSO cookie should exist only when SSO is enabled.
            Hide
            integer Kanstantsin Shautsou added a comment -

            SSO functionality now optional. Please, try new 1.6 version (remember/logout issues didn't touched).

            Show
            integer Kanstantsin Shautsou added a comment - SSO functionality now optional. Please, try new 1.6 version (remember/logout issues didn't touched).
            Hide
            pfalcon Paul Sokolovsky added a comment -

            This issue was fixed.

            Show
            pfalcon Paul Sokolovsky added a comment - This issue was fixed.

              People

              Assignee:
              pfalcon Paul Sokolovsky
              Reporter:
              pfalcon Paul Sokolovsky
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: