SAML Configuration
19 views
Skip to first unread message
Srinivasan RK
Aug 28, 2019, 1:46:46 PM8/28/19
to Jenkins Users
I have setup the SAML Plugin and loaded the IDP Metadata. My SP Metadata always shows "AuthnRequestsSigned="true". How can i disable it? I am being asked by admin if i can send without signed. I could not find how to do it in Jenkins.
I am not sure what this checkbox "Disable Signature Redirect Binding Auth Request" is used for under SAML Configuration. I tried changing the Data Binding to HTTP-Redirect and select the check-box, but when I view the spMetaData file, it still shows up with AuthnRequestSigned = ture and bindings:HTTP-POST.
Versions : Jenkins 2.176.2 deployed on WebLogic 12.2.1.3 with SAML 1.1.2 Plugin.
Thanks
Srini
Ivan Fernandez Calvo
Aug 29, 2019, 2:53:57 PM8/29/19
to Jenkins Users
Hi,
It is not possible to disable signed on HTTP-POST, I've found some difficulties to make it on pac4j library (https://issues.jenkins-ci.org/browse/JENKINS-47966), there is a workaround the IIRC works that it is to modify the JENKINS_HOME/saml-sp-metadata.xml file manually to disable it, you have to edit the SPSSODescriptor section to something like this "<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">", the inconvenience of that it is that every time you modify the security configuration this file would change and you will lose your changes.
- Disable Signature Redirect Binding Auth Request - Disable signature of the Redirect Binding Auth Request (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect), It is not possible to disable the signature in HTTP-POST binding.
Ivan Fernandez Calvo
Aug 29, 2019, 3:31:03 PM8/29/19
to Jenkins Users
modify the JENKINS_HOME/saml-sp-metadata.xml does not work, I am reviewing it because maybe there is a way to implement it by extending a class.
Ivan Fernandez Calvo
Aug 29, 2019, 4:22:39 PM8/29/19
to Jenkins Users
I have made a PR that disables the Auth Request on HTTP-POST binding when the encryption settings are not set, the same behavior HTTP-REDIRECT binding, when the PR build finishes, you would have a version of the plugin with the patch here https://ci.jenkins.io/blue/organizations/jenkins/Plugins%2Fsaml-plugin/detail/PR-71/1/artifacts
Srinivasan RK
Sep 4, 2019, 1:37:50 PM9/4/19
to Jenkins Users
Thanks Ivan
Reply all
Reply to author
Forward
0 new messages