Jenkins Okta auth

[st...@flugel.it]

I'm trying to configure okta with saml jenkins plugin https://wiki.jenkins-ci.org/display/JENKINS/SAML+Plugin
But getting error Cannot find entity https://www.okta.com/saml2/service-provider/spibofbfpairxsdsimgc or role {urn:oasis:names:tc:SAML:2.0:metadata}

there is my metadata

<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://www.okta.com/saml2/service-provider/spibofbfpairxsdsimgc"><md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAVuJmnDlMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG

A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU

MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi03ODQxMTkxHDAaBgkqhkiG9w0BCQEW

DWluZm9Ab2t0YS5jb20wHhcNMTcwNDIwMDQyMzExWhcNMjcwNDIwMDQyNDExWjCBkjELMAkGA1UE

BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV

BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNzg0MTE5MRwwGgYJ

KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA

lfVL/XL9lEftDwzL8oSWGzJq8jAWFdZgRRP0ufz7BcNhIQsUXGKnl5cf29Q7FZ5/nqybu5Pg0M3V

Y3tBgDk8L6wDvsujyCxsZLwmek8jgrAb2Kk3HZY5y0yHkQSKQ2ASUBmvvx10MpYF1hsrPaZ2ZXqk

IbWbI/XmzCsdPnWxRcPZ3AtLl1b0dB5G+vJ3TG2hlcoSHH2+MV3Zv/wRSTskBhsrpDwpHtz5BC7l

gsSvtcd4FC5lCspD1SarZ9jguXCPcUgi7JkKWSYZOHRFFLYraG21CQwlNdb6MgulCTNyfM17i9sq

IXbfIrO8YdGi0YCAoFX04p0tHP0lJbcf6KbNiQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAONbGS

R/E99tsSARjOJQC2RO03jeyamRrUnNZVqL4S9zw49s7P0n9HakJ4Vb8H0aiOvVqNPwrkXmMuwjP7

9KCHbMDTGogo8CGxSl3bMJ3DNo+A/ecVaI4IgM6y4bCAst6f8EBopj39a7+r69HPU1fzqaPz2Cti

CdZ07QiCt51B52eCU9TzdAdJLB1cCby3GfyAbszyTVS6ZFPoC814XF0K38u6pVz5Ab6dTQ5L1Jho

iD4JTIJFN317io/0UsPwdLak325HjT7ufNxV+cR/zTedIvj8V6GEorfIYtGGUaq8M1xSqmwiJg0o

YUEZhwOmNNHrRoqSWXGjEDzJKgtP1Fzn</ds:X509Certificate></ds:X509Data></ds:KeyInfo><md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/><md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/></md:KeyDescriptor><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAVuJmnDlMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG

A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU

MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi03ODQxMTkxHDAaBgkqhkiG9w0BCQEW

DWluZm9Ab2t0YS5jb20wHhcNMTcwNDIwMDQyMzExWhcNMjcwNDIwMDQyNDExWjCBkjELMAkGA1UE

BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV

BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNzg0MTE5MRwwGgYJ

KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA

lfVL/XL9lEftDwzL8oSWGzJq8jAWFdZgRRP0ufz7BcNhIQsUXGKnl5cf29Q7FZ5/nqybu5Pg0M3V

Y3tBgDk8L6wDvsujyCxsZLwmek8jgrAb2Kk3HZY5y0yHkQSKQ2ASUBmvvx10MpYF1hsrPaZ2ZXqk

IbWbI/XmzCsdPnWxRcPZ3AtLl1b0dB5G+vJ3TG2hlcoSHH2+MV3Zv/wRSTskBhsrpDwpHtz5BC7l

gsSvtcd4FC5lCspD1SarZ9jguXCPcUgi7JkKWSYZOHRFFLYraG21CQwlNdb6MgulCTNyfM17i9sq

IXbfIrO8YdGi0YCAoFX04p0tHP0lJbcf6KbNiQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAONbGS

R/E99tsSARjOJQC2RO03jeyamRrUnNZVqL4S9zw49s7P0n9HakJ4Vb8H0aiOvVqNPwrkXmMuwjP7

9KCHbMDTGogo8CGxSl3bMJ3DNo+A/ecVaI4IgM6y4bCAst6f8EBopj39a7+r69HPU1fzqaPz2Cti

CdZ07QiCt51B52eCU9TzdAdJLB1cCby3GfyAbszyTVS6ZFPoC814XF0K38u6pVz5Ab6dTQ5L1Jho

iD4JTIJFN317io/0UsPwdLak325HjT7ufNxV+cR/zTedIvj8V6GEorfIYtGGUaq8M1xSqmwiJg0o

YUEZhwOmNNHrRoqSWXGjEDzJKgtP1Fzn</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://dev-784119.oktapreview.com/sso/saml2/0oaa7zvi6k6kK4Rm00h7" index="0" isDefault="true"/><md:AttributeConsumingService index="0"><md:RequestedAttribute FriendlyName="First Name" Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/><md:RequestedAttribute FriendlyName="Last Name" Name="lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/><md:RequestedAttribute FriendlyName="Email" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/><md:RequestedAttribute FriendlyName="Mobile Phone" Name="mobilePhone" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/></md:AttributeConsumingService></md:SPSSODescriptor><md:Organization><md:OrganizationName xmlns:xml="http://www.w3.org/XML/1998/namespace" xml:lang="en">dev-784119</md:OrganizationName><md:OrganizationDisplayName xmlns:xml="http://www.w3.org/XML/1998/namespace" xml:lang="en">Flugel.it-dev-784119</md:OrganizationDisplayName><md:OrganizationURL xmlns:xml="http://www.w3.org/XML/1998/namespace" xml:lang="en">https://flugel.it</md:OrganizationURL></md:Organization></md:EntityDescriptor>

in Okta:

SAML PROTOCOL SETTINGS

IdP Issuer URI 

https://ip:8080/securityRealm/finishLogin

IdP Single Sign-On URL 

https://ip:8080/securityRealm/finishLogin

IdP Signature Certificate 
Pub cer for SSL

Request Binding 

HTTP POST

Request Signature

Sign SAML Authentication Requests

Request Signature Algorithm 

SHA-256

Response Signature Verification 

Response or Assertion

Response Signature Algorithm 

SHA-256

Destination 

https://ip:8080/securityRealm/finishLogin

Okta Assertion Consumer Service URL

Trust-specific

Organization (shared)

Max Clock Skew 

2

Minutes

Jenkins running from official docker image with options:

--httpPort=-1 --httpsPort=8080 --httpsCertificate=/var/lib/jenkins/jenkins.crt --httpsPrivateKey=/var/lib/jenkins/jenkins.key

[Ivan Fernandez Calvo]

Hi,

To configure Okta as SAML service you have to follow this documentation http://developer.okta.com/standards/SAML/setting_up_a_saml_application_in_okta, It seems like you did that and have the IdP up and running, you have to set these setting in order to make it works

*Single Sign on Url *: http://myhostaddress.com:8080/securityRealm/finishLogin
Use this for Recipient URL and Destination URL: Checked
Audience URI (SP Entity ID): http://myhostaddress.com:8080/securityRealm/finishLogin
Name ID Fornat : EmailAdress
Application username: Okta username
Attribute Statements - I did not specify any here
Group Attribute Statements: Name=Group Nameformat=Basic Filtertype=regex Filter=.*

Jenkins:
Security Realm: SAML 2.0
IdP Metadata : Copied from Okta
Display Name Attribute: The default of (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name)
Group Attribute: Group
Username Attribute: left blank

reviewing you configuration you set Request Binding to HTTP POST, this kind of binding it is not yet suppported by SAML Plugin you have to use HTTP Redirect Binding