[JIRA] (JENKINS-61917) Remove Signature and SigAlg from SAML Request

[jonawayneblake@gmail.com (JIRA)]

Jonathan Blake created an issue

Jenkins / JENKINS-61917 Remove Signature and SigAlg from SAML Request Issue Type: Bug Assignee: Ivan Fernandez Calvo Attachments: Screen Shot 2020-04-15 at 11.48.09 AM.png Components: saml-plugin Created: 2020-04-15 15:58 Environment: Jenkins 2.230, SAML Plugin 1.1.5, java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64 Labels: plugin Priority: Major Reporter: Jonathan Blake We recently updated our plugin from version 0.14 to 1.1.5 and the upgrade has broken our SAML auth. I've noticed that the SAML request sent by Jenkins now contains a block with a signature at the end, which our IdP team has identified as the root cause of the issue. I've tried toggling plugin settings but there does not seem to be a way to remove the SigAlg and Signature from the request. The only workaround we've found is to downgrade the plugin to 0.14. Add Comment

This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)

[jonawayneblake@gmail.com (JIRA)]

Jonathan Blake updated an issue

Jenkins / JENKINS-61917 Remove Signature and SigAlg from SAML Request

Change By: Jonathan Blake We recently updated our are unable to get the plugin from working with any of the 1.X releases, and have been version locked at 0.14 to 1 . 1.5 and the upgrade has broken our SAML auth. I've noticed that the SAML request sent by Jenkins in the 1.1.5 version now contains a block with a signature at the end, which our IdP team has identified as the root cause of the issue. I've tried toggling plugin settings but there does not seem to be a way to remove the SigAlg and Signature from the request. The only workaround we've found is to downgrade the plugin to 0.14. Is there a way to remove this block from the request in version 1.1.5?

Add Comment

[kuisathaverat@gmail.com (JIRA)]

Ivan Fernandez Calvo closed an issue as Not A Defect

Jenkins / JENKINS-61917 Remove Signature and SigAlg from SAML Request

Change By: Ivan Fernandez Calvo Status: Open Closed Resolution: Not A Defect

Add Comment

[kuisathaverat@gmail.com (JIRA)]

Ivan Fernandez Calvo commented on JENKINS-61917

Re: Remove Signature and SigAlg from SAML Request this is not an issue is a support request please read https://wiki.jenkins.io/display/JENKINS/How+to+report+an+issue

Add Comment

[jonawayneblake@gmail.com (JIRA)]

Jonathan Blake updated an issue

Jenkins / JENKINS-61917

Remove Signature and SigAlg from SAML Request

Change By: Jonathan Blake The newer versions of the plugin (1.X) have added a SigAlg and Signature to the SAML request that has broken our authentication. There does not appear to be a way to remove this from the request, though the     We are unable to get the plugin working with any of the 1.X releases, and have been version locked at 0.14. I've noticed that the SAML request sent by Jenkins in the 1.1.5 version now contains a block with a signature at the end, which our IdP team has identified as the root cause of the issue. I've tried toggling plugin settings but there does not seem to be a way to remove the SigAlg and Signature from the request. The only workaround we've found is to downgrade the plugin to 0.14.

Is there a way to remove this block from the request in version 1.1.5?

Add Comment

[jonawayneblake@gmail.com (JIRA)]

[jonawayneblake@gmail.com (JIRA)]

Jonathan Blake commented on JENKINS-61917

Re: Remove Signature and SigAlg from SAML Request Ivan Fernandez Calvo thank you. I have submitted it to the Jenkins support channel

Add Comment

[jonawayneblake@gmail.com (JIRA)]

Jonathan Blake edited a comment on JENKINS-61917

Re: Remove Signature and SigAlg from SAML Request

[~ifernandezcalvo] thank you. I have submitted it to the Jenkins support channel on Gitter. Can you please follow up on this issue there? We've been blocked by this for a few weeks now.

Add Comment

[kuisathaverat@gmail.com (JIRA)]

Ivan Fernandez Calvo commented on JENKINS-61917

Re: Remove Signature and SigAlg from SAML Request

I think that your issue is related to a change on https://github.com/jenkinsci/saml-plugin/releases/tag/saml-1.1.4, you only have to go to encryption settings and disable the signature *Auth Request Signature *- Enable signature of the Redirect Binding Auth Request, If you enable it the encryption and signing key would available in the SP metadata file and URL (JENKINS_URL/securityRealm/metadata).

Add Comment

[jonawayneblake@gmail.com (JIRA)]

Jonathan Blake updated an issue

Jenkins / JENKINS-61917

Remove Signature and SigAlg from SAML Request

Change By: Jonathan Blake Attachment: image-2020-04-15-13-43-12-679.png

Add Comment

[jonawayneblake@gmail.com (JIRA)]

Jonathan Blake updated an issue

Jenkins / JENKINS-61917 Remove Signature and SigAlg from SAML Request

Change By: Jonathan Blake Attachment: Screen Shot 2020-04-15 at 1.40.40 PM.png

Add Comment

[jonawayneblake@gmail.com (JIRA)]

Jonathan Blake commented on JENKINS-61917

Re: Remove Signature and SigAlg from SAML Request I thought that might be the case but we actually don't have the encryption setting enabled on the plugin. Is there another setting for this?

Add Comment

[kuisathaverat@gmail.com (JIRA)]

Ivan Fernandez Calvo commented on JENKINS-61917

Re: Remove Signature and SigAlg from SAML Request

If you want to force to disable the signature you have to enable description settings and keep the Auth Request Signature disabled, by default the signature is sent.

Add Comment

[jonawayneblake@gmail.com (JIRA)]

Jonathan Blake updated an issue

Jenkins / JENKINS-61917

Remove Signature and SigAlg from SAML Request

Change By: Jonathan Blake Attachment: Screen Shot 2020-04-15 at 2.18.30 PM.png

Add Comment

[jonawayneblake@gmail.com (JIRA)]

[jonawayneblake@gmail.com (JIRA)]

[jonawayneblake@gmail.com (JIRA)]

Jonathan Blake updated an issue

Jenkins / JENKINS-61917 Remove Signature and SigAlg from SAML Request

Change By: Jonathan Blake Attachment: image-2020-04-15-14-21-15-767.png

Add Comment

[jonawayneblake@gmail.com (JIRA)]

Jonathan Blake commented on JENKINS-61917

Re: Remove Signature and SigAlg from SAML Request Unfortunately even with those settings, it's sending a SigAlg and Signature - that's why I originally logged this as a bug. Could it be an issue with our Java version?

Add Comment

[jonawayneblake@gmail.com (JIRA)]

Jonathan Blake edited a comment on JENKINS-61917

Re: Remove Signature and SigAlg from SAML Request

Unfortunately even with those settings, it's sending a SigAlg and Signature - that's why I originally logged this as a bug

.

Could it be an issue with our Java version?

!image-2020-04-15-14-21-15-767.png!

Add Comment

[jonawayneblake@gmail.com (JIRA)]

Jonathan Blake edited a comment on JENKINS-61917

Re: Remove Signature and SigAlg from SAML Request

Unfortunately even with those settings, it's sending a SigAlg and Signature.

Could it be an issue with our Java version?

!image-2020-04-15-14-21-15-767.png |width=1352,height=502 !

Add Comment

[kuisathaverat@gmail.com (JIRA)]

Ivan Fernandez Calvo commented on JENKINS-61917

Re: Remove Signature and SigAlg from SAML Request

Could you attach the IdP metadata(JENKINS_HOME/saml-ipd-metadata.xml) and SP metadata(JENKINS_HOME/saml-sp-metadata.xml)? Do not forget to remove IPs and sensible data.

Add Comment

[kuisathaverat@gmail.com (JIRA)]

Ivan Fernandez Calvo edited a comment on JENKINS-61917

Re: Remove Signature and SigAlg from SAML Request

Could you attach the IdP metadata(JENKINS_HOME/saml-ipd-metadata.xml) and SP metadata(JENKINS_HOME/saml-sp-metadata.xml)? Do not forget to remove IPs and sensible data.

Also, Which IdP you use?

Add Comment

[kuisathaverat@gmail.com (JIRA)]

Ivan Fernandez Calvo edited a comment on JENKINS-61917

Re: Remove Signature and SigAlg from SAML Request

Could you attach the IdP metadata(JENKINS_HOME/saml-ipd-metadata.xml) and SP metadata(JENKINS_HOME/saml-sp-metadata.xml)? Do not forget to remove IPs and sensible data. Also, Which IdP you use?

The main difference between 0.14 and 1.x id the update of the pac4j library that changed a lot.

Add Comment

[jonawayneblake@gmail.com (JIRA)]

Jonathan Blake updated an issue

Jenkins / JENKINS-61917

Remove Signature and SigAlg from SAML Request

Change By: Jonathan Blake Attachment: saml-idp-metadata.xml

Add Comment

[jonawayneblake@gmail.com (JIRA)]

[jonawayneblake@gmail.com (JIRA)]

Jonathan Blake commented on JENKINS-61917

Re: Remove Signature and SigAlg from SAML Request Sure thing. I believe our IdP is Siteminder, but it's maintained by another part of our organization. I'm attaching the metadata xml files with redacted info.

Add Comment

[jonawayneblake@gmail.com (JIRA)]

Jonathan Blake updated an issue

Jenkins / JENKINS-61917

Remove Signature and SigAlg from SAML Request

Change By: Jonathan Blake Attachment: saml-idp-metadata.xml

Attachment: saml-sp-metadata.xml

Add Comment

[kuisathaverat@gmail.com (JIRA)]

Ivan Fernandez Calvo commented on JENKINS-61917

Re: Remove Signature and SigAlg from SAML Request the IdP configuration is correct IDPSSODescriptor WantAuthnRequestsSigned="false" does not request signature, and the SP configuration is also correct <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" looks also correct, Jenkins should not signed the request and request the asserttion signed. I will reopen the issue and take a look on a test environment.

Add Comment

[kuisathaverat@gmail.com (JIRA)]

Ivan Fernandez Calvo reopened an issue

Jenkins / JENKINS-61917

Remove Signature and SigAlg from SAML Request

Change By: Ivan Fernandez Calvo Resolution: Not A Defect Status: Closed Reopened

Add Comment

[kuisathaverat@gmail.com (JIRA)]

Ivan Fernandez Calvo started work on JENKINS-61917

Change By: Ivan Fernandez Calvo

Status: Reopened In Progress

Add Comment

[jonawayneblake@gmail.com (JIRA)]

Jonathan Blake commented on JENKINS-61917

Re: Remove Signature and SigAlg from SAML Request Thank you Ivan Fernandez Calvo, I'll continue to monitor this ticket. Please let me know if there's any other information you need.

Add Comment

[kuisathaverat@gmail.com (JIRA)]

Ivan Fernandez Calvo commented on JENKINS-61917

Re: Remove Signature and SigAlg from SAML Request

I can confirm that the disable signing setting does not work with redirect binding, It is a long history that drove me crazy a long time ago when I updated the library. So in the version we use of pac4j `forceSignRedirectBindingAuthnRequest` and `authnRequestSigned` do not work as expected. Indeed it is not possible to change the value of authnRequestSigned, I've to extend the class to overwrite the `isAuthnRequestSigned()` method and add a `setAuthnRequestSigned()` method, but this workaround only works with POST binding. It is not possible to upgrade the library again because it uses a newer version of Sprint and Jenkins Core uses an old one. So the only solution is to stop using pac4j library, and use OpenSAML library directly, but this is a reimplementation of the plugin. I will document it and come back to it when I'll change the library.

Add Comment

[kuisathaverat@gmail.com (JIRA)]

Ivan Fernandez Calvo closed an issue as Postponed

Jenkins / JENKINS-61917

Remove Signature and SigAlg from SAML Request

Change By: Ivan Fernandez Calvo

Status: In Progress Closed Resolution: Postponed

Add Comment

[jonawayneblake@gmail.com (JIRA)]

Jonathan Blake commented on JENKINS-61917

Re: Remove Signature and SigAlg from SAML Request Ivan Fernandez Calvo I appreciate you looking into this. What is the timetable for changing the core library? I'm trying to determine if my team should continue with the deprecated version of the plugin or maybe pursue another auth method for the time being.

Add Comment

[kuisathaverat@gmail.com (JIRA)]

Ivan Fernandez Calvo commented on JENKINS-61917

Re: Remove Signature and SigAlg from SAML Request

>I appreciate you looking into this. What is the timetable for changing the core library? not soon, I do not have a start date to make it.

Add Comment