[JIRA] (JENKINS-55809) Missing Logout Url in SAML metadata XML for ADFS

24 views
Skip to first unread message

christian.rohr@chrohr-online.de (JIRA)

unread,
Jan 28, 2019, 3:25:01 AM1/28/19
to jenkinsc...@googlegroups.com
Christian Rohr created an issue
 
Jenkins / Bug JENKINS-55809
Missing Logout Url in SAML metadata XML for ADFS
Issue Type: Bug Bug
Assignee: Ivan Fernandez Calvo
Components: saml-plugin
Created: 2019-01-28 08:24
Priority: Major Major
Reporter: Christian Rohr

I used then Metadata URL for ADFS which is working very well, only the entry for the SAML Logout page is missing which is configurable in Jenkins directly. This data are missing in the Metadata XML.
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

kuisathaverat@gmail.com (JIRA)

unread,
Jan 28, 2019, 4:40:02 AM1/28/19
to jenkinsc...@googlegroups.com
Ivan Fernandez Calvo commented on Bug JENKINS-55809
 
Re: Missing Logout Url in SAML metadata XML for ADFS

Can you attach JENKINS_HOME/saml-idp-metadata.xml file? you can remove keys and URLs I want to see the configuration, it should have a `SingleLogoutService` configuration to be able to redirect to someplace, and only redirect method is supported.

<IDPSSODescriptor>

....

  <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://SAML_SERVER/idp"/>
</IDPSSODescriptor>

christian.rohr@chrohr-online.de (JIRA)

unread,
Jan 29, 2019, 8:03:02 AM1/29/19
to jenkinsc...@googlegroups.com
Christian Rohr updated an issue
 
Change By: Christian Rohr
Attachment: saml-idp-metadata.xml

christian.rohr@chrohr-online.de (JIRA)

unread,
Jan 29, 2019, 8:03:02 AM1/29/19
to jenkinsc...@googlegroups.com
Christian Rohr commented on Bug JENKINS-55809
 
Re: Missing Logout Url in SAML metadata XML for ADFS

I uploaded the file I removed secrets and replaced by [...]. Thank you in advance

kuisathaverat@gmail.com (JIRA)

unread,
Mar 10, 2019, 6:51:58 AM3/10/19
to jenkinsc...@googlegroups.com
Change By: Ivan Fernandez Calvo
Issue Type: Bug New Feature

kuisathaverat@gmail.com (JIRA)

unread,
Mar 10, 2019, 6:52:02 AM3/10/19
to jenkinsc...@googlegroups.com

kuisathaverat@gmail.com (JIRA)

unread,
Mar 10, 2019, 6:59:02 AM3/10/19
to jenkinsc...@googlegroups.com
Ivan Fernandez Calvo commented on New Feature JENKINS-55809
 
Re: Missing Logout Url in SAML metadata XML for ADFS

I reviewed the code and the SingleLogoutService is never loaded from the IdP metadata, it is not implemented, so it is a new feature to implement.

jesse.borden@bordenit.com (JIRA)

unread,
May 31, 2019, 9:27:02 AM5/31/19
to jenkinsc...@googlegroups.com

This would be a great fix to the almost perfect ADFS solution.

jesse.borden@bordenit.com (JIRA)

unread,
May 31, 2019, 9:29:01 AM5/31/19
to jenkinsc...@googlegroups.com
Jesse Borden edited a comment on New Feature JENKINS-55809
This would be a great fix to the almost perfect ADFS solution. Just so it's clear to me, we can't use this plugin to logout from ADFS at all... yet?

jesse.borden@bordenit.com (JIRA)

unread,
May 31, 2019, 9:37:02 AM5/31/19
to jenkinsc...@googlegroups.com
Jesse Borden edited a comment on New Feature JENKINS-55809
This would be a great fix to the almost perfect ADFS solution. Just so it's clear to me, we can't use this plugin to logout from ADFS at all... yet?


MSIS7000: The sign in request is not compliant to the WS-Federation language for web browser clients or the SAML 2.0 protocol WebSSO profile.

jesse.borden@bordenit.com (JIRA)

unread,
May 31, 2019, 9:38:01 AM5/31/19
to jenkinsc...@googlegroups.com
Jesse Borden edited a comment on New Feature JENKINS-55809
This would be a great fix to the almost perfect ADFS solution. Just so it's clear to me, we can't use this plugin to logout from ADFS at all... yet?
*+When Logout button clicked+*

MSIS7000: The sign in request is not compliant to the WS-Federation language for web browser clients or the SAML 2.0 protocol WebSSO profile.

jesse.borden@bordenit.com (JIRA)

unread,
May 31, 2019, 9:38:02 AM5/31/19
to jenkinsc...@googlegroups.com
Jesse Borden edited a comment on New Feature JENKINS-55809
This would be a great fix to the almost perfect ADFS solution. Just so it's clear to me, we can't use this plugin to logout from ADFS at all... yet?

*+When Logout button clicked , ADFS logs +*


MSIS7000: The sign in request is not compliant to the WS-Federation language for web browser clients or the SAML 2.0 protocol WebSSO profile.

jesse.borden@bordenit.com (JIRA)

unread,
May 31, 2019, 9:59:01 AM5/31/19
to jenkinsc...@googlegroups.com
Jesse Borden edited a comment on New Feature JENKINS-55809
This would be a great fix to the almost perfect ADFS solution !image-2019-05-31-09-57-23-911 . Just so it's clear to me, we png! I can't use this plugin add screenshots to logout from the ADFS at all configuration example, but the Jenkins side of it is not very clear . .. yet? I am attaching screenshots that might improve those instructions here:

*+When Logout button clicked, ADFS logs+*

MSIS7000 [https : The sign in request is not compliant to the WS //github.com/jenkinsci/saml - Federation language for web browser clients or the SAML 2 plugin/blob/master/doc/ADFS_CONFIG . 0 protocol WebSSO profile. md]

jesse.borden@bordenit.com (JIRA)

unread,
May 31, 2019, 10:01:01 AM5/31/19
to jenkinsc...@googlegroups.com
Jesse Borden edited a comment on New Feature JENKINS-55809
!image-2019-05-31-09-57-23-911.png! I can't add screenshots to the ADFS configuration example, but the Jenkins side of it is not very clear. I am attaching screenshots that might improve those instructions here:

[https://github.com/jenkinsci/saml-plugin/blob/master/doc/ADFS_CONFIG.md]

*Add this to the Jenkins Side, I think some people like me, screw up the Redirect part and set it to post inadvertently*

 

!image-2019-05-31-09-57-23-911.png!

jesse.borden@bordenit.com (JIRA)

unread,
May 31, 2019, 10:03:03 AM5/31/19
to jenkinsc...@googlegroups.com
Jesse Borden edited a comment on New Feature JENKINS-55809
I can't add screenshots to the ADFS configuration example, but the Jenkins side of it is not very clear. I am attaching screenshots that might improve those instructions here:

[https://github.com/jenkinsci/saml-plugin/blob/master/doc/ADFS_CONFIG.md]

*Add this to the Jenkins Side, I think some people like me, screw up the Redirect part and set it to post inadvertently*

 

!image-2019-05-31-09-57-23-911.png!


 

*Add this, or maybe something even prettier, in the Endpoint configuration section*

!image-2019-05-31-10-01-54-291.png!

jesse.borden@bordenit.com (JIRA)

unread,
May 31, 2019, 10:04:01 AM5/31/19
to jenkinsc...@googlegroups.com
Jesse Borden edited a comment on New Feature JENKINS-55809
I can't add screenshots to the ADFS configuration example, but the Jenkins side of it is not very clear. I am attaching screenshots that might improve those instructions here:

[https://github.com/jenkinsci/saml-plugin/blob/master/doc/ADFS_CONFIG.md]

*Add this to the Jenkins Side , *

 I think some people like me, screw up the Redirect part and set it to post inadvertently * , and I reached a blind conclusion that the logout was broken. It's not really.

 

!image-2019-05-31-09-57-23-911.png!

 

*Add this, or maybe something even prettier, in the Endpoint configuration section*

!image-2019-05-31-10-01-54-291.png!

jesse.borden@bordenit.com (JIRA)

unread,
May 31, 2019, 10:05:02 AM5/31/19
to jenkinsc...@googlegroups.com
Jesse Borden edited a comment on New Feature JENKINS-55809
I can't add screenshots to the ADFS configuration example, but the Jenkins side of it is not very clear. I am attaching screenshots that might improve those instructions here:

[https://github.com/jenkinsci/saml-plugin/blob/master/doc/ADFS_CONFIG.md]

*Add this to the Jenkins Side*

I think some people like me, screw up the Redirect part and set it to post inadvertently, and I reached a blind conclusion that the logout was broken. It's not really.

 

!image-2019-05-31-09-57-23-911.png!

 

*Add this , or maybe something even prettier, to the Windows Server side*

It shows the logout url being mirrored in both the Endpoint Jenkins and the ADFS configuration section* .

!image-2019-05-31-10-01-54-291.png!

jesse.borden@bordenit.com (JIRA)

unread,
May 31, 2019, 10:06:02 AM5/31/19
to jenkinsc...@googlegroups.com
Jesse Borden edited a comment on New Feature JENKINS-55809
I can't add screenshots to the ADFS configuration example, but the Jenkins side of it is not very clear. I am attaching screenshots that might improve those instructions here:

[https://github.com/jenkinsci/saml-plugin/blob/master/doc/ADFS_CONFIG.md]

*Add this to the Jenkins Side*

I think some people like me, screw up the Redirect part and set it to post inadvertently, and I reached a blind conclusion that the logout was broken. It's not really.

 

!image-2019-05-31- 09 10 - 57 05 - 23 18 - 911 462 .png!

 

  

 *Add this to the Windows Server side*

It shows the logout url being mirrored in both the Jenkins and the ADFS configuration.

!image-2019-05-31-10-01-54-291.png!

kuisathaverat@gmail.com (JIRA)

unread,
Jun 1, 2019, 7:18:01 AM6/1/19
to jenkinsc...@googlegroups.com

Thx Jesse Borden I'll add your comments to the guide

jesse.borden@bordenit.com (JIRA)

unread,
Jun 4, 2019, 12:23:02 PM6/4/19
to jenkinsc...@googlegroups.com
Jesse Borden updated an issue
 
Change By: Jesse Borden
Attachment: image-2019-06-04-12-22-37-550.png

jesse.borden@bordenit.com (JIRA)

unread,
Jun 4, 2019, 12:28:03 PM6/4/19
to jenkinsc...@googlegroups.com
Jesse Borden commented on New Feature JENKINS-55809
 
Re: Missing Logout Url in SAML metadata XML for ADFS

I guess that wa=wsignout1.0 is only for WS-Federation, so it says it works, but it might be lying, because navigating back to url and even closing the browser and going back sometimes doesn't prompt for re-authentication. I'm trying to see if there is a way to just force authentication every time as a workaround until you fix this. No luck yet, but it does seem to get a new SAML request id.
Reply all
Reply to author
Forward
0 new messages