Issue
The SAML plugin suddenly fails to authenticate.
After enabling additional loggers as indicated in the documentation, one can see:
2019-12-19 09:04:57.524+0000 [id=9] SEVERE o.p.s.s.i.SAML2DefaultResponseValidator#validateSamlSSOResponse: Current assertion validation failed, continue with the next one
org.pac4j.saml.exceptions.SAMLException: Signature is not trusted
at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateSignature(SAML2DefaultResponseValidator.java:689)
Environment
- CloudBees CI (CloudBees Core)
- CloudBees CI (CloudBees Core) on modern cloud platforms - Managed Master
- CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center
- CloudBees CI (CloudBees Core) on traditional platforms - Client Master
- CloudBees CI (CloudBees Core) on traditional platforms - Operations Center
- CloudBees Jenkins Enterprise
- CloudBees Jenkins Enterprise - Managed Master
- CloudBees Jenkins Enterprise - Operations Center
- CloudBees Jenkins Platform - Client Master
- CloudBees Jenkins Platform - Operations Center
- CloudBees Jenkins Distribution
- Jenkins LTS
Resolution
The most likely cause for this issue is that the IDP metadata changed on the provider side.
The idea is to replace the metadata with the new one.
This can only be done from the filesystem as the UI is not accessible anymore (you cannot login).
- First, download fresh IDP metadata from your provider. Depending on your provider, the naming can differ.
Eg for Azure, you need to look for the Federation Metadata (url should look likehttps://login.microsoftonline.com/<TenantDomainName>/FederationMetadata/2007-06/FederationMetadata.xml). - Backup the existing IDP metadata file on Jenkins at
${JENKINS_HOME}/saml-idp-metadata.xml. - Replace the content of
${JENKINS_HOME}/saml-idp-metadata.xmlwith the content of the newly downloaded file from the provider. - Finally, restart your Jenkins instance.
Tested product/plugin versions
- Jenkins 2.190.2.2 with the SAML plugin from the envelope
0 Comments