After upgrading CloudBees Core to 18.104.22.168, users cannot log in to masters configured with Operations Center SSO. Although Operations Center is accessible, Masters are connected to Operations Center and shown as Online.
The browser fails with a Too many redirects issue, being redirected in a loop to
$MASTER_URL/securityRealm/commenceLogin?from=$MASTER_ENCODED_PATHand the Master Jenkins logs show:
The strict checking of configured Root URL is enabled, but the requested Root URL (<URL derived from the requests) is different from the configured Root URL (<URL configured in global configuraton>). Enforcing the usage of the configured URL by redirecting to it.
The Master’s UI shows an error when performing login at
This master Root URL is empty, but is required by Operations Center Single Sign On. Log in with a local user in $MASTER_URL/login or temporarily disable this security restriction in Operations Center. More information in https://cloudbees.com/r/single-sign-on.
- CloudBees CI (CloudBees Core) 22.214.171.124 and later
- CloudBees CI (CloudBees Core) on modern cloud platforms - Managed Master 126.96.36.199 and later
- CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center 188.8.131.52 and later
- CloudBees CI (CloudBees Core) on traditional platforms - Client Master 184.108.40.206 and later
- CloudBees CI (CloudBees Core) on traditional platforms - Operations Center 220.127.116.11 and later
- CloudBees Jenkins Platform - Client Master 18.104.22.168 and later
- CloudBees Jenkins Platform - Operations Center 22.214.171.124 and later
- Operations Center Context Plugin 126.96.36.199 and later
- Operations Center Single Sign-On Plugin 188.8.131.52 and later
- CTR-1483: Open Redirect vulnerability in Authentication Mechanism in SSO:
Only Connected Masters that are configured with Operations Center SSO (Single Sign On) and that are running version 184.108.40.206 or later might be impacted.
The 220.127.116.11 release of CloudBees Core contains a security fix for an Open Redirect vulnerability in Authentication Mechanism in SSO. This fix introduces a strict check on the Master URL. This is documented at Using Single Sign On (SSO).
The Master URL from the requester should match the Master URL configured globally in Jenkins:
- The configured Jenkins Root URL is the URL configured at Manage Jenkins > Configure Jenkins > Jenkins Location > Jenkins URL.
- The URL from the requester is derived from the request information such as
If those URLs do not match, the checks fails and Operations Center SSO cannot be satisfied.
This issue is either due to a misconfiguration of the Jenkins Master URL or a misconfiguration of the reverse proxy / load balancer solutions that are serving it or both:
- Make sure the Jenkins URL is properly configured in the Master’s global configuration under Manage Jenkins > Configure Jenkins > Jenkins Location > Jenkins URL.
- Make sure the reverse proxy(ies) used in front of Jenkins is(are) properly setting the
X-Forwardedheaders. See Reverse Proxy troubleshooting guide.
If Jenkins is available at
https://core.example.com/master-1 to the users:
- The Jenkins Global URL must be configured to
X-Forwardedheaders should be set accordingly:
Until a resolution path is taken, the strict Master URL check of Operations Center SSO can be disabled as documented in Disabling the verification of the Jenkins Root URL