Strange SAML-jenkins certificate expired causing JENKINS-ADFS integration SSO login to fail

[Shifa Shaikh]

We have been login to Jenkins using SSO from the past one year without any issues.

Today, however the SSO failed for the entire team and no one can login anymore.

After providing the SSO AD credentials we are thrown to the SAMLLougout page.

Upon investigation the ADFS team informed that one of the certificates from Jenkins with `CN=SAML-jenkins` has expired causing the login to fail. The snapshot of the expired certificate as shared by the ADFS team for our Jenkins is below:

We have never created this certificate nor do we have any idea about it. 

Is this something that comes default with the Jenkins SAML plugin or the Jenkins product? Please let me know.

Now, that we are not able to login to Jenkins how do we go about fixing the issue and updating the certificate ?

I'm using the latest version of the standalone Jenkins war.

Any help guidance would be appreciated.

[Ivan Fernandez Calvo]

SAML plugin needs a certificate for sign and encrypt the communications with the IdP, if you no provide one the SAML plugin generate a key and a certificate for that purpose, the certificate is renewed automatically when it expires but the IdP needs the new certificate is your responsability to provide the new certificate to the IdP, all of this is in the documentation of the plugin.