- We are facing authentication issues using SAML and the Single Sign On Service URL provided by the SAML IdP contains parameters.
- CloudBees CI (CloudBees Core) on modern cloud platforms - Managed Master
- CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center
- CloudBees CI (CloudBees Core) on traditional platforms - Client Master
- CloudBees CI (CloudBees Core) on traditional platforms - Operations Center
- CloudBees Jenkins Enterprise
- CloudBees Jenkins Enterprise - Managed Master
- CloudBees Jenkins Enterprise - Operations Center
- CloudBees Jenkins Team
- CloudBees Jenkins Platform - Client Master
- CloudBees Jenkins Platform - Operations Center
- Jenkins LTS
When we use SAML for authenticating users in Jenkins, we need to set the
saml-idp-metadata.xml file content inside the SAML plugin configuration using either
IdP Metadata or
IdP Metadata URL field. Inside this
saml-idp-metadata.xml file we have the
<SingleSignOnService> tag where the SAML IdP entity put the Service SAML URL.
According to SAML Plugin behavior, this URL (located inside the
<SingleSignOnService>) should not contain any parameters, since the SAML plugin will redirect the user to the SAML IdP server using this URL without any parameters. Therefore, if the SAML IdP entity needs those parameters to accomplish correctly the SAML authentication, it will not be possible as those parameters will be removed during the first redirection to the SAML IdP entity.
Unfortunately, this is not an issue that could be solved from the Jenkins side, and you should contact your SAML team to use an alternative URL instead of using those parameters.
This is an example of a URL that would cause this kind of authentication issues:
And this is an example of a URL that would not:
Once your SAML Team has removed any parameters from the Service SAML IdP URL, a new
saml-idp-metadata.xml file should be generated. After that, we should add the new version of the
saml-idp-metadata.xml to the SAML plugin configuration from the Jenkins side.