jenkins, saml and Keycloak SSO

1,143 views
Skip to first unread message

James Regis

unread,
Jan 15, 2017, 10:09:07 PM1/15/17
to Jenkins Users
Hello,

I am trying to make jenkins + saml plugin + keycloak working together and I am facing a issue.

I have gnerate the IDP metadata and once I am trying to login : http://jenkins.example.com/securityRealm/finishLogin, I am redirected to the keycloak login page.

When I am trying to login with my googel credentials, I have this error : 

javax.servlet.ServletException: org.pac4j.saml.exceptions.SamlException: Error decoding saml message
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:796)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
	at org.kohsuke.stapler.MetaClass$3.doDispatch(MetaClass.java:197)
	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
.......
Caused by: org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed
	at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.doEvaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:138)
	at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.evaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:107)
	at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:50)
	at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:131)
	at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:82)
	at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70)
After some googling, I found this website : 
http://samaratips.blogspot.ca/2016/10/sso-using-saml.html
which said : 
Add IDP public key for signing messages to java key store. It can be found in incoming saml message from IDP.

My questions are : 
- Is there somebody  who have succeed to make jenkins/saml plugin + keycloak work together ?
- How can I add the IDP public key to my keystore and how to configure jenkins to decode saml message with the key in the keystore ?
Any help/hints will be appriacated.
Regards.
James

Vikas Kumar

unread,
Feb 17, 2018, 12:36:45 AM2/17/18
to Jenkins Users
Hello James,

Did you get this working? I am too facing all sorts of issues trying to do so.

Regards,
Vikas

Ivan Fernandez Calvo

unread,
Feb 17, 2018, 4:25:25 PM2/17/18
to Jenkins Users
Did you import the public key of the SP (Jenkins) in the IdP? If not, import it or disable the signing and/or encryption in the IdP. Other option it is to use the version 0.14 of SAML Plugin that not enforce to define any key .

Ivan Fernandez Calvo

unread,
Feb 18, 2018, 1:50:36 PM2/18/18
to Jenkins Users
>How can I add the IDP public key to my keystore and how to configure jenkins to decode saml message with the key in the keystore ?

The IdP key should be in the IdP Metadata as described in https://www.oasis-open.org/committees/download.php/51890/SAML%20MD%20simplified%20overview.pdf
If You are generating the IdP metadata in a manual way, you can use this tool https://www.samltool.com/idp_metadata.php

Vikas Kumar

unread,
Feb 19, 2018, 5:38:00 AM2/19/18
to Jenkins Users
Hello Ivan,

Thanks for your response. To be honest, I am a novice in SAML at the moment but have managed to hook Keycloak to AWS using some tutorials :).

I have tried turning off signing and encryption in Keycloak and configured below parameters after google-ing.


This is my IDP metadata configured in Jenkins

<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor entityID="http://13.211.108.58/auth/realms/amp"
                   xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
                   xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <IDPSSODescriptor WantAuthnRequestsSigned="false"
      protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <SingleLogoutService
         Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
         Location="http://13.211.108.58/auth/realms/amp/protocol/saml" />
   <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
   <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
   <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
   <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>


      <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
         Location="http://13.211.108.58/auth/realms/amp/protocol/saml" />
      <KeyDescriptor use="signing">
        <dsig:KeyInfo>
          <dsig:KeyName>-3exGGnBkt9XwDMBUwkkkXg2JYGXg-_YAcr5gwYTSN0</dsig:KeyName>
          <dsig:X509Data>
            <dsig:X509Certificate>MIIClTCCAX0CBgFhnj1EXDANBgkqhkiG9w0BAQsFADAOMQwwCgYDVQQDDANhbXAwHhcNMTgwMjE2MTA0OTMwWhcNMjgwMjE2MTA1MTEwWjAOMQwwCgYDVQQDDANhbXAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXWPRbbOOjiDlBR3retdd1hIrdbPbsQw88AoYj3+4kIJGmAl+g7z/DIEdjTMsn5Jbx6NF2UUS4b2c/rIkCqEMAMz4CKfOFKppbEGTgAJmyAM0uNvo56K01lhsiGVgj9JRqrX5ANoH5PQWkHeF/miyCm1n6EFdyefheNP2lGksofpphrgW9ChTXPHyLhdv1KCJCTI2c7b+HwAhslI0Zw/XT9ZlKQ3/dkc4mYVRsTKjVKPWXSZwvp7eSNDPn1cbEtuUCOikaxcKVKZBghW4ZwspY7DJZIulhnS4rZB8JO2+GWWAJAqIUZffoh99yHANM/wVHwtEdl6Eckw0IiVTW3RSFAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAHEkunR6dy+/b3cPl+GJNKpmkMbjMjNQ3P/7YMHQYldl6pr0njYGIl7wh6uA5JF176bz5oP+XddNiySue7lPm+AbsEvefOcfpWt0eBAOHWmZrZLWvp5toE7ipNYd+coicRsddDTAm9ZIdP9X2jNDHrouCkfNHgNIIeLYWdlYUb9VvYW0JbdiwqJs5iCLBIo9M3buffltGyI1ghK0S0/xQf6SgxDLLH4kjU0POj3XMMNDGB4YlPcWeA9DzEQzvWI2gK8Ul/MV3TbYdTXxIRJqef3Qv5ZkCKFBMPORdfLKZyOvP7vex3MSZZzfX342ZjZmzvrlQtOekvldP2OupFeLV8M=</dsig:X509Certificate>
          </dsig:X509Data>
        </dsig:KeyInfo>
      </KeyDescriptor>
   </IDPSSODescriptor>
</EntityDescriptor>

I have configured this as below








Request you to please have a quick look and let me know where I am going wrong. The above configuration in Jenkins has this stack trace

org.pac4j.saml.exceptions.SAMLException: Identity provider has no single sign on service available for the selected profileorg.opensaml.saml.saml2.metadata.impl.IDPSSODescriptorImpl@3ce818f6
 at org.pac4j.saml.context.SAML2MessageContext.getIDPSingleSignOnService(SAML2MessageContext.java:93)
 at org.pac4j.saml.sso.impl.SAML2AuthnRequestBuilder.build(SAML2AuthnRequestBuilder.java:70)
 at org.pac4j.saml.sso.impl.SAML2AuthnRequestBuilder.build(SAML2AuthnRequestBuilder.java:34)

Thanks in advance.

Regards

Ivan Fernandez Calvo

unread,
Feb 19, 2018, 9:28:31 AM2/19/18
to Jenkins Users
The Data binding Method SAML Plugin setting should be HTTP-POST, you IdP metadata only support HTTP-POST (<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"), also check the help of the Client ID field but I bet that Client ID Keycloak field is the same that the Entry ID on the SAML Plugin so you have to enable the advanced setting and set the Entry ID to the same value


Reply all
Reply to author
Forward
0 new messages