Jenkins with Saml 2.0 SSO Authentication
4,944 views
Skip to first unread message
St. Georgiou
Jan 21, 2014, 8:39:21 AM1/21/14
to jenkins...@googlegroups.com
Hey there,
I'm looking for a jenkins plugin to enable sso authetication using
shibboleth2.
Is there such a thing? I can only find the CAS Plugin
<https://wiki.jenkins-ci.org/display/JENKINS/CAS+Plugin> that only goes up
to saml 1.1.
Cheers
--
View this message in context: http://jenkins-ci.361315.n4.nabble.com/Jenkins-with-Saml-2-0-SSO-Authentication-tp4687801.html
Sent from the Jenkins users mailing list archive at Nabble.com.
I'm looking for a jenkins plugin to enable sso authetication using
shibboleth2.
Is there such a thing? I can only find the CAS Plugin
<https://wiki.jenkins-ci.org/display/JENKINS/CAS+Plugin> that only goes up
to saml 1.1.
Cheers
--
View this message in context: http://jenkins-ci.361315.n4.nabble.com/Jenkins-with-Saml-2-0-SSO-Authentication-tp4687801.html
Sent from the Jenkins users mailing list archive at Nabble.com.
Ben McCann
Aug 17, 2014, 12:18:55 AM8/17/14
to jenkins...@googlegroups.com, stefanos...@cern.ch
John Burrows
Jan 23, 2015, 5:30:44 AM1/23/15
to jenkins...@googlegroups.com, stefanos...@cern.ch
Ben,
I am trying to get the SAML plugin to work, but the configuration in Security is confusing.
All I see when clicking SAML in the security configuration is:
Any ideas or help on how to properly configure it?
We use an internal Ping Federated server for SSO authentication.
Thanks
John
This email message and any attachments may contain confidential, proprietary or non-public information. The information is intended solely for the designated recipient(s). If an addressing or transmission error has misdirected this email, please notify the sender immediately and destroy this email. Any review, dissemination, use or reliance upon this information by unintended recipients is prohibited. Any opinions expressed in this email are those of the author personally.
Ben McCann
Jan 23, 2015, 11:10:32 AM1/23/15
to jenkins...@googlegroups.com, stefanos...@cern.ch
Hey John,
Ping should be able to give you a metadata file which contains all the configuration information you need. We set it up this way, so that you only have enter a single field instead of a few different fields.
I haven't used Ping specifically before, but found these docs, which may help you if this is the right Ping product:
-Ben
--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/L_5ACUwtJpM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/5a68a1a6-220c-4b6c-8035-7172d87ae000%40googlegroups.com.
John Burrows
Jan 23, 2015, 11:28:45 AM1/23/15
to jenkins...@googlegroups.com, stefanos...@cern.ch
Ben,
Thanks for the quick response, maybe I wasnt clear, but what I am asking, is what info goes into that field and in what format?
Can you send me an example?
Thanks,
John
---------------
John Burrows
Supervisor Software Engineering, USA
T + 1 704 423 2531 / M + 1 864 490 1091
Vacation Alert :
Feb 27 / Mar 30-Apr 2 / Jun 29-Jul 2
ACI Worldwide
-----------------------
For AD Common Services: Infrastructure Services support contact:
For AD Common Services: ARLM support email:
For AD Common Services: SCM support refer to the Google Site:
For AD Common Services: Security or AD Tools support contact:
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAH3cagNzcaax5BNUpVNnoTOn3FbaPURmkyFdw3h9Mqmj5ngiOw%40mail.gmail.com.
John Burrows
Jan 23, 2015, 11:29:51 AM1/23/15
to jenkins...@googlegroups.com, stefanos...@cern.ch
Or is it just all the contents of the xml file?
Thanks,
John
---------------
John Burrows
Supervisor Software Engineering, USA
T + 1 704 423 2531 / M + 1 864 490 1091
Vacation Alert :
Feb 27 / Mar 30-Apr 2 / Jun 29-Jul 2
ACI Worldwide
-----------------------
For AD Common Services: Infrastructure Services support contact:
For AD Common Services: ARLM support email:
For AD Common Services: SCM support refer to the Google Site:
For AD Common Services: Security or AD Tools support contact:
Ben McCann
Jan 23, 2015, 11:51:07 AM1/23/15
to jenkins...@googlegroups.com, stefanos...@cern.ch
Yes, all the contents of the xml file
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAJrD%3D%2BZptr49OxCwS%3DsJPnaGobN-F7ffK0%3DTvnO6u-SqukXvyQ%40mail.gmail.com.
John Burrows
Feb 18, 2015, 11:09:23 AM2/18/15
to jenkins...@googlegroups.com, stefanos...@cern.ch
Hi Ben,
Thank you for your help, I have been trying to get the SAML plugin working with our Ping federated server and have been unsuccessful.
Here is what is happening:
Jenkins v 1.597 SAML plugin v 0.3
We are using an internal PingFederated server and I have entered the xml metedata contents into the Security configuration of Jenkins.
I have tried on two servers, one set up HTTPS (SSL) and one just HTTP.
We get errors when trying to login using SSO that pertain to the https://servername/securityRealm/finishLogin redirect and the same for non-SSL server.
We are stumped on what to check here, the PingFederated administrator has it set for the postback to the securityRealm/finishLogin URL, which is what is in the code for the plugin, we just are not sure how to proceed.
The contents of the xml metadata:
<md:EntityDescriptor ID="MNkL_uYrUsdEca2oWqH6gdgG4t3" cacheDuration="PT1440M" entityID="ENTITYIDHERE:Saml2:POC" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"><md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="false"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data> <ds:X509Certificate>CERTIFICATECODE HERE</ds:X509Certificate></ds:X509Data> </ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://SSOSERVERNAME/idp/SSO.saml2"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://SSOSERVERNAME/idp/SSO.saml2"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://SSOSERVERNAME/idp/SSO.saml2"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://SSOSERVERNAME/idp/SSO.saml2"/></md:IDPSSODescriptor><md:ContactPerson contactType="administrative"><md:Company>COMPANYNAME</md:Company></md:ContactPerson></md:EntityDescriptor>Any suggestions or hlep would be greatly appreciated.
Thanks,
John
Ben McCann
Feb 18, 2015, 5:38:19 PM2/18/15
to jenkins...@googlegroups.com, stefanos...@cern.ch
Hi John,
Someone else recently reported a problem with a URL that they tracked down to a misconfiguration. Are you having the problem described here?
-Ben
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/d93be1b3-49c8-4c4f-a1a2-75305999f904%40googlegroups.com.
Ben McCann
Feb 18, 2015, 5:39:14 PM2/18/15
to jenkins...@googlegroups.com, stefanos...@cern.ch
Btw, please let me know if you get it working! I'd love to update the docs with regards to anything that may be confusing.
Thanks,
Ben
John Burrows
Feb 19, 2015, 7:46:57 AM2/19/15
to jenkins...@googlegroups.com, stefanos...@cern.ch
Ben,
This is the error being received within the Jenkins log, any ideas? The configuration in Jenkins is correct for the Jenkins URL
Thanks,
John
Feb 17, 2015 8:55:53 AM WARNING org.eclipse.jetty.util.log.JavaUtilLog warn
Error while serving http://SERVERNAME.DOMAINNAME.com/securityRealm/finishLogin java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:298) at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:161) at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:96) at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:121) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876) at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:211) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649) at org.kohsuke.stapler.Stapler.service(Stapler.java:238) at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:686) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1494) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:96) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:88) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:48) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84) at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116) at org.eclipse.jetty.server.Server.handle(Server.java:370) at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489) at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:949) at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1011) at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644) at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235) at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82) at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668) at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52) at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) Caused by: org.pac4j.saml.exceptions.SamlException: Error decoding saml message at org.pac4j.saml.sso.Saml2WebSSOProfileHandler.receiveMessage(Saml2WebSSOProfileHandler.java:121) at org.pac4j.saml.client.Saml2Client.retrieveCredentials(Saml2Client.java:315) at org.pac4j.saml.client.Saml2Client.retrieveCredentials(Saml2Client.java:95) at org.pac4j.core.client.BaseClient.getCredentials(BaseClient.java:211) at org.jenkinsci.plugins.saml.SamlSecurityRealm.doFinishLogin(SamlSecurityRealm.java:135) ... 73 more Caused by: org.opensaml.ws.message.decoder.MessageDecodingException: This message deocoder only supports the HTTP POST method at org.opensaml.saml2.binding.decoding.HTTPPostDecoder.doDecode(HTTPPostDecoder.java:83) at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:78) at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70) at org.pac4j.saml.sso.Saml2WebSSOProfileHandler.receiveMessage(Saml2WebSSOProfileHandler.java:119) ... 77 more
---------------
John Burrows
Supervisor Software Engineering, USA
T + 1 704 423 2531 / M + 1 864 490 1091
Vacation Alert :
Feb 27 / Mar 30-Apr 2 / Jun 29-Jul 2
ACI Worldwide
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAH3cagOrcHGRmzvfFMwvB_t%3D4e6%3DggfQP_OCFF54uvj9SCiDqg%40mail.gmail.com.
gregor philp
May 5, 2015, 2:22:53 PM5/5/15
to jenkins...@googlegroups.com, stefanos...@cern.ch
Hi Ben
"
I am also having the same issue trying to configure the SAML plugin for use with Okta for Jenkins.
I have the xml data in the plugin configuration and I have the URL set under Jenkins / Configure System but when we try to login via okta we get the message displayed:
"
HTTP ERROR 404
Problem accessing /jenkins/securityRealm/finishLogin. Reason:
Not Found
"
And in /var/log/jenkins/jenkins.log I see the message:
"May 05, 2015 5:30:04 PM org.pac4j.saml.sso.Saml2WebSSOProfileHandler sendMessage
WARNING: IdP wants authn requests signed, it will perhaps reject your authn requests unless you provide a keystore
"
I'm not sure what else to try and the Okta support we have is also unsure as to why Jenkins is giving us this message.
Can you help with this?
thanks
Gregor
Michal Gubik
Sep 15, 2015, 7:56:36 AM9/15/15
to Jenkins Users, stefanos...@cern.ch
Hi,
I just got plugin working with pingfederate I will write up guide and post it here ;)
Michal
...
Burrows, John
Sep 15, 2015, 10:50:55 AM9/15/15
to jenkins...@googlegroups.com, stefanos...@cern.ch
Michal,
We were able to get it working with help from Ping Federate tech support, had to do with settings on the Ping Federated server administration panel. There were some settings in configuration that were not correct, so even though generated meta-data was correct,
settings on Ping Federated server were incorrect.
Thanks,
John
---------------
John Burrows
Manager Software Engineering, USA
ACI Worldwide
S C NG
Oct 15, 2015, 11:03:32 PM10/15/15
to Jenkins Users, stefanos...@cern.ch
Hi Michal,
Wondering if you could share any guidelines for this case? We have done the PingFederate and Jenkins SAML2 Plugin config, but "javax.servlet.ServletException: org.pac4j.saml.exceptions.SamlException: No valid subject assertion found in response" issue found after redirecting back to Jenkins' "finishLogin" URL... Tried to check the link at https://github.com/connectifier/jenkins-saml-plugin/issues/4 but not able to figure out any what's wrong with my config. Would like to understand the setup which was working for you.
Thanks in Advance.
Reply all
Reply to author
Forward
0 new messages