Jenkins SAML + nginx + ELB

536 views
Skip to first unread message

Nick T

unread,
Jun 8, 2016, 2:23:17 PM6/8/16
to Jenkins Users
I have my Jenkins server running with an nginx reverse proxy sitting in front of it.  In front of that i have an AWS ELB that is terminating the SSL.  So the problem is that Okta posts to https://myjenkins.mycompany.com, but on the jenkins side it sees http.  so it fails.  Any tips?

WARNING: Error while serving http://jenkins.mycompany.com/securityRealm/finishLogin

at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)


Caused by: org.opensaml.xml.security.SecurityException: SAML message intended destination endpoint did not match recipient endpoint
	at org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder.checkEndpointURI(BaseSAMLMessageDecoder.java:217)
	at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:72)
	at org.pac4j.saml.sso.Saml2WebSSOProfileHandler.receiveMessage(Saml2WebSSOProfileHandler.java:119)

Fred Clausen

unread,
Jun 9, 2016, 1:43:49 AM6/9/16
to Jenkins Users
Are you setting the " X-Forwarded-Proto" header? This guide might be useful. You could also try and make the "Postback URL" be "http" since that is what the request will arrive as on the Jenkins server itself.

prakhar vishnoi

unread,
Aug 5, 2016, 6:16:30 AM8/5/16
to Jenkins Users
Hey, I am getting similar type of error while integrating SAML-2 plugin + Azure Active Directory. Can you help me 

Grzegorz Szypa

unread,
Apr 7, 2017, 6:23:51 AM4/7/17
to Jenkins Users
Hi .

As prakhar said I also have the similar problem, because durring log in I get message in respons that"we get incorrect request"

here is some additional information which accompany above message:

"
Dodatkowe informacje techniczne:
Correlation ID: 985a69d5-d30e-4e4f-8ed6-96788d7d6dda
Timestamp: 2017-04-07 10:18:53Z
AADSTS70001: Application with identifier 'http://vmsrv0.szypa.net:8080/securityRealm/finishLogin' was not found in the directory 5d71a3b0-a9e5-4b76-8c5b-d8a910a24c54
"

Ivan Fernandez Calvo

unread,
Apr 7, 2017, 1:09:19 PM4/7/17
to Jenkins Users
You have a different issue, in your case your Sp, Jenkins, it is not register on your IdP so it reject your request for authentication, the method to register a new SP depends of your IdP, here you have an example of configuration with simplesamlphp, it identifies the SP with the response URL like your

Ivan Fernandez Calvo

unread,
Apr 7, 2017, 1:18:52 PM4/7/17
to Jenkins Users
The URL with an example https://github.com/kuisathaverat/docker-simplesamlphp/blob/master/etc/simplesamlphp/metadata/saml20-sp-remote.php

Grzegorz Szypa

unread,
Apr 7, 2017, 1:53:44 PM4/7/17
to Jenkins Users
It is already registred, so why I do not know what's going on
Reply all
Reply to author
Forward
0 new messages