Issue
The SAML plugin suddenly fails to authenticate.
After enabling additional loggers as indicated in the documentation, one can see:
2019-12-19 09:04:57.524+0000 [id=9] SEVERE o.p.s.s.i.SAML2DefaultResponseValidator#validateSamlSSOResponse: Current assertion validation failed, continue with the next one
org.pac4j.saml.exceptions.SAMLException: Signature is not trusted
at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateSignature(SAML2DefaultResponseValidator.java:689)
Environment
- CloudBees Core
- CloudBees Core on modern cloud platforms - Managed Master
- CloudBees Core on modern cloud platforms - Operations Center
- CloudBees Core on traditional platforms - Client Master
- CloudBees Core on traditional platforms - Operations Center
- CloudBees Jenkins Enterprise
- CloudBees Jenkins Enterprise - Managed Master
- CloudBees Jenkins Enterprise - Operations Center
- CloudBees Jenkins Platform - Client Master
- CloudBees Jenkins Platform - Operations Center
- CloudBees Jenkins Distribution
- Jenkins LTS
Resolution
The most likely cause for this issue is that the IDP metadata changed on the provider side.
The idea is to replace the metadata with the new one.
This can only be done from the filesystem as the UI is not accessible anymore (you cannot login).
- First, download fresh IDP metadata from your provider. Depending on your provider, the naming can differ.
Eg for Azure, you need to look for the Federation Metadata (url should look likehttps://login.microsoftonline.com/<TenantDomainName>/FederationMetadata/2007-06/FederationMetadata.xml). - Backup the existing IDP metadata file on Jenkins at
${JENKINS_HOME}/saml-idp-metadata.xml. - Replace the content of
${JENKINS_HOME}/saml-idp-metadata.xmlwith the content of the newly downloaded file from the provider. - Finally, restart your Jenkins instance.
Tested product/plugin versions
- Jenkins 2.190.2.2 with the SAML plugin from the envelope
0 Comments