After upgrading CloudBees Core to 184.108.40.206, users cannot log in to controllers configured with Operations Center SSO. Although Operations Center is accessible, controllers are connected to Operations Center and shown as Online.
The browser fails with a Too many redirects issue, being redirected in a loop to
$MASTER_URL/securityRealm/commenceLogin?from=$MASTER_ENCODED_PATHand the controller Jenkins logs show:
The strict checking of configured Root URL is enabled, but the requested Root URL (<URL derived from the requests) is different from the configured Root URL (<URL configured in global configuraton>). Enforcing the usage of the configured URL by redirecting to it.
The controller’s UI shows an error when performing login at
This controller Root URL is empty, but is required by Operations Center Single Sign On. Log in with a local user in $MASTER_URL/login or temporarily disable this security restriction in Operations Center. More information in https://cloudbees.com/r/single-sign-on.
- CloudBees CI (CloudBees Core) 220.127.116.11 and later
- CloudBees CI (CloudBees Core) on modern cloud platforms - Managed controller 18.104.22.168 and later
- CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center 22.214.171.124 and later
- CloudBees CI (CloudBees Core) on traditional platforms - Client controller 126.96.36.199 and later
- CloudBees CI (CloudBees Core) on traditional platforms - Operations Center 188.8.131.52 and later
- CloudBees Jenkins Platform - Client controller 184.108.40.206 and later
- CloudBees Jenkins Platform - Operations Center 220.127.116.11 and later
- Operations Center Context Plugin 18.104.22.168 and later
- Operations Center Single Sign-On Plugin 22.214.171.124 and later
- CTR-1483: Open Redirect vulnerability in Authentication Mechanism in SSO:
Only Connected controllers that are configured with Operations Center SSO (Single Sign On) and that are running version 126.96.36.199 or later might be impacted.
The 188.8.131.52 release of CloudBees Core contains a security fix for an Open Redirect vulnerability in Authentication Mechanism in SSO. This fix introduces a strict check on the controller URL. This is documented at Using Single Sign On (SSO).
The controller URL from the requester should match the URL configured globally in Jenkins:
- The configured Jenkins Root URL is the URL configured at Manage Jenkins > Configure Jenkins > Jenkins Location > Jenkins URL.
- The URL from the requester is derived from the request information such as
If those URLs do not match, the checks fails and Operations Center SSO cannot be satisfied.
This issue is either due to a misconfiguration of the Jenkins controller URL or a misconfiguration of the reverse proxy / load balancer solutions that are serving it or both:
- Make sure the Jenkins URL is properly configured in the controller’s global configuration under Manage Jenkins > Configure Jenkins > Jenkins Location > Jenkins URL.
- Make sure the reverse proxy(ies) used in front of Jenkins is(are) properly setting the
X-Forwardedheaders. See Reverse Proxy troubleshooting guide.
If Jenkins is available at
https://core.example.com/master-1 to the users:
- The Jenkins Global URL must be configured to
X-Forwardedheaders should be set accordingly:
Until a resolution path is taken, the strict controller URL check of Operations Center SSO can be disabled as documented in Disabling the verification of the Jenkins Root URL