Cannot Log In to Connected Masters with Operations Center SSO after Upgrading to 2.222.4.3

Issue

  • After upgrading CloudBees Core to 2.222.4.3, users cannot log in to masters configured with Operations Center SSO. Although Operations Center is accessible, Masters are connected to Operations Center and shown as Online.

  • The browser fails with a Too many redirects issue, being redirected in a loop to $MASTER_URL/securityRealm/commenceLogin?from=$MASTER_ENCODED_PATH and the Master Jenkins logs show:

    The strict checking of configured Root URL is enabled, but the requested Root URL (<URL derived from the requests) is different from the configured Root URL (<URL configured in global configuraton>). Enforcing the usage of the configured URL by redirecting to it.
    
  • The Master’s UI shows an error when performing login at $MASTER_URL/securityRealm/commenceLogin?from=$MASTER_ENCODED_PATH:

    This master Root URL is empty, but is required by Operations Center Single Sign On. Log in with a local user in $MASTER_URL/login or temporarily disable this security restriction in Operations Center. More information in https://cloudbees.com/r/single-sign-on.
    

Environment

Related Issues

Explanation

Only Connected Masters that are configured with Operations Center SSO (Single Sign On) and that are running version 2.222.4.3 or later might be impacted.

The 2.222.4.3 release of CloudBees Core contains a security fix for an Open Redirect vulnerability in Authentication Mechanism in SSO. This fix introduces a strict check on the Master URL. This is documented at Using Single Sign On (SSO).

The Master URL from the requester should match the Master URL configured globally in Jenkins:

  1. The configured Jenkins Root URL is the URL configured at Manage Jenkins > Configure Jenkins > Jenkins Location > Jenkins URL.
  2. The URL from the requester is derived from the request information such as X-Forwarded headers.

If those URLs do not match, the checks fails and Operations Center SSO cannot be satisfied.

Resolution

This issue is either due to a misconfiguration of the Jenkins Master URL or a misconfiguration of the reverse proxy / load balancer solutions that are serving it or both:

  1. Make sure the Jenkins URL is properly configured in the Master’s global configuration under Manage Jenkins > Configure Jenkins > Jenkins Location > Jenkins URL.
  2. Make sure the reverse proxy(ies) used in front of Jenkins is(are) properly setting the X-Forwarded headers. See Reverse Proxy troubleshooting guide.

Example

If Jenkins is available at https://core.example.com/master-1 to the users:

  1. The Jenkins Global URL must be configured to https://core.example.com/master-1
  2. The X-Forwarded headers should be set accordingly:

    • X-Forwarded-Host: core.example.com
    • X-Forwarded-Proto: https
    • X-Forwarded-Port: 443

Workaround

Until a resolution path is taken, the strict Master URL check of Operations Center SSO can be disabled as documented in Disabling the verification of the Jenkins Root URL

Have more questions?

0 Comments

Please sign in to leave a comment.