[JIRA] (JENKINS-50749) SAMLException: No valid subject assertion found in response (Azure)

57 views
Skip to first unread message

daniel.watrous@trinet.com (JIRA)

unread,
Apr 11, 2018, 3:06:02 PM4/11/18
to jenkinsc...@googlegroups.com
Daniel Watrous created an issue
 
Jenkins / Bug JENKINS-50749
SAMLException: No valid subject assertion found in response (Azure)
Issue Type: Bug Bug
Assignee: Ivan Fernandez Calvo
Attachments: saml-logs.txt
Components: saml-plugin
Created: 2018-04-11 19:05
Environment: Docker image jenkins/jenkins:2.107.1 (similar behavior in previous tagged versions too) deployed on kuberntes. SAML Plugin 1.0.5
Labels: jenkins SAML SAMLException
Priority: Minor Minor
Reporter: Daniel Watrous

I have used the saml-plugin to integrate our login with Azure Active Directory. This works most of the time, but sometimes (a few times a month) I get redirected to /securityRealm/finishLogin and I see the stacktrace shown below.

I have attached logs to this ticket for

org.pac4j.saml

 

I have followed this ticket, https://issues.jenkins-ci.org/browse/JENKINS-44992. My configuration includes the IdP metadata URL and a Refresh Period of 120. I have extended my Maximum Authentication Lifetime to 1209600, which seems to make this happen less often.

Sometimes I can workaround this by logging out of office365 and then visiting the site. Many users in my org have just resorted to opening Jenkins in incognito mode.

StackTrace shown at /securityRealm/finishLogin

org.pac4j.saml.exceptions.SAMLException: No valid subject assertion found in response
	at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateSamlSSOResponse(SAML2DefaultResponseValidator.java:313)
	at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validate(SAML2DefaultResponseValidator.java:138)
	at org.pac4j.saml.sso.impl.SAML2WebSSOMessageReceiver.receiveMessage(SAML2WebSSOMessageReceiver.java:77)
	at org.pac4j.saml.sso.impl.SAML2WebSSOProfileHandler.receive(SAML2WebSSOProfileHandler.java:35)
	at org.pac4j.saml.client.SAML2Client.retrieveCredentials(SAML2Client.java:225)
	at org.pac4j.saml.client.SAML2Client.retrieveCredentials(SAML2Client.java:60)
	at org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:106)
	at org.jenkinsci.plugins.saml.SamlProfileWrapper.process(SamlProfileWrapper.java:53)
	at org.jenkinsci.plugins.saml.SamlProfileWrapper.process(SamlProfileWrapper.java:33)
	at org.jenkinsci.plugins.saml.OpenSAMLWrapper.get(OpenSAMLWrapper.java:65)
	at org.jenkinsci.plugins.saml.SamlSecurityRealm.doFinishLogin(SamlSecurityRealm.java:263)
	at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
	at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343)
	at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:77)
	at org.kohsuke.stapler.PreInvokeInterceptedFunction.invoke(PreInvokeInterceptedFunction.java:26)
	at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184)
	at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117)
	at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129)
	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
Caused: javax.servlet.ServletException
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:765)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
	at org.kohsuke.stapler.MetaClass$3.doDispatch(MetaClass.java:209)
	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649)
	at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:841)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
	at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
	at org.jenkinsci.plugins.saml.SamlCrumbExclusion.process(SamlCrumbExclusion.java:28)
	at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:73)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
	at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:135)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
	at org.eclipse.jetty.server.Server.handle(Server.java:564)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:317)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110)
	at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124)
	at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)

 
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)
Atlassian logo

ifernandezcalvo@cloudbees.com (JIRA)

unread,
Apr 12, 2018, 6:07:03 AM4/12/18
to jenkinsc...@googlegroups.com
Ivan Fernandez Calvo commented on Bug JENKINS-50749
 
Re: SAMLException: No valid subject assertion found in response (Azure)

Thank you so much, I was looking for this issue months, and now I have the SAMLResponse to figure out what happens. I'll plan to resolve those kinds of error by invalidating the session and redirecting to the login page again JENKINS-50004, for the moment the workaround is to enable "advanced/force auth"

I'll dig deeper into the response to see why is not valid

<samlp:Response
  ID="_65521826-71ff-42fc-93ba-9a9958370ba6"
  Version="2.0"
  IssueInstant="2018-04-11T18:48:42.429Z"
  Destination="https://jenkins.example.com/securityRealm/finishLogin"
  InResponseTo="_mcjoipte7kavyngvhqwbfzla9pp4kxb9b2s35v4"
  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/67b039ac-f578-42c6-9b5b-aa1b5bb0388f/</Issuer>
  <samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
  <Assertion ID="_857608cf-646d-4ba0-9968-0e2a37b4b2f8" IssueInstant="2018-04-11T18:48:42.398Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <Issuer>https://sts.windows.net/67b039ac-f578-42c6-9b5b-aa1b5bb0388f/</Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
      <SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
        <Reference URI="#_857608cf-646d-4ba0-9968-0e2a37b4b2f8">
          <Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
          <DigestValue>...</DigestValue>
        </Reference>
      </SignedInfo>
      <SignatureValue>...</SignatureValue>
      <KeyInfo>
        <X509Data>
          <X509Certificate>...</X509Certificate>
        </X509Data>
      </KeyInfo>
    </Signature>
    <Subject>
      <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">USER</NameID>
      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_mcjoipte7kavyngvhqwbfzla9pp4kxb9b2s35v4" NotOnOrAfter="2018-04-11T18:53:42.398Z" Recipient="https://jenkins.example.com/securityRealm/finishLogin"/></SubjectConfirmation>
    </Subject>
    <Conditions NotBefore="2018-04-11T18:43:42.398Z" NotOnOrAfter="2018-04-11T19:43:42.398Z">
      <AudienceRestriction>
        <Audience>https://jenkins.example.com/securityRealm/finishLogin</Audience>
      </AudienceRestriction>
    </Conditions>
    <AttributeStatement>
      <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
        <AttributeValue>67b039ac-f578-42c6-9b5b-aa1b5bb0388f</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
        <AttributeValue>83b0ac03-c7a4-46cc-90ac-143990d0a9eb</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
        <AttributeValue>Daniel Watrous</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
        <AttributeValue>https://sts.windows.net/67b039ac-f578-42c6-9b5b-aa1b5bb0388f/</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
        <AttributeValue>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AttributeValue>
        <AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
        <AttributeValue>Daniel</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
        <AttributeValue>Watrous</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
        <AttributeValue>daniel....@Trinet.com</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
        <AttributeValue>daniel....@trinet.com</AttributeValue>
      </Attribute>
    </AttributeStatement>
    <AuthnStatement AuthnInstant="2018-03-28T17:41:00.065Z" SessionIndex="_857608cf-646d-4ba0-9968-0e2a37b4b2f8">
      <AuthnContext>
        <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
      </AuthnContext>
    </AuthnStatement>
  </Assertion>
</samlp:Response>

ifernandezcalvo@cloudbees.com (JIRA)

unread,
Apr 12, 2018, 6:09:02 AM4/12/18
to jenkinsc...@googlegroups.com
Thank you so much, I was looking for this issue months, and now I have the SAMLResponse to figure out what happens. I'll plan to resolve those kinds of error by invalidating the session and redirecting to the login page again [JENKINS-50004|https://issues.jenkins-ci.org/browse/JENKINS-50004], for the moment the workaround is to enable "advanced/force auth"


I'll dig deeper into the response to see why is not valid

{code}
        <AttributeValue> Daniel Watrous USER </AttributeValue>

      </Attribute>
      <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
        <AttributeValue>https://sts.windows.net/67b039ac-f578-42c6-9b5b-aa1b5bb0388f/</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
        <AttributeValue>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AttributeValue>
        <AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
        <AttributeValue> Daniel USER </AttributeValue>

      </Attribute>
      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
        <AttributeValue> Watrous FIRSTNAME </AttributeValue>

      </Attribute>
      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
        <AttributeValue> daniel....@Trinet.com EMAIL </AttributeValue>

      </Attribute>
      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
        <AttributeValue> daniel....@trinet.com EMAIL </AttributeValue>

      </Attribute>
    </AttributeStatement>
    <AuthnStatement AuthnInstant="2018-03-28T17:41:00.065Z" SessionIndex="_857608cf-646d-4ba0-9968-0e2a37b4b2f8">
      <AuthnContext>
        <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
      </AuthnContext>
    </AuthnStatement>
  </Assertion>
</samlp:Response>
{code}

daniel.watrous@trinet.com (JIRA)

unread,
Apr 12, 2018, 8:39:02 AM4/12/18
to jenkinsc...@googlegroups.com

Ivan, I'm glad this was helpful. I was in the process of transitioning to https://plugins.jenkins.io/azure-ad as an alternative to this plugin, but depending on your timeline for submitting a fix, I'm willing to hold off on my transition and help you test any changes. 

I'm also willing to help with the fix if you give me some pointers about where to start looking in the code.

teoman.sevinc@softtech.com.tr (JIRA)

unread,
Apr 13, 2018, 4:57:02 AM4/13/18
to jenkinsc...@googlegroups.com

I have same issue for Docker image jenkins/jenkins:2.116 (similar behavior in previous tagged versions too) deployed on kuberntes. SAML Plugin 1.0.5  environment on Google Cloud.

apowell@llbean.com (JIRA)

unread,
Jun 13, 2018, 8:31:01 AM6/13/18
to jenkinsc...@googlegroups.com

We are experiencing the same issue, but it is on every login.  jenkins/jenkins2.127 SAML Plugin 1.0.4 running in a pod in GKE on google cloud.

We did not have this on jenkins/jenkins 2.95

This is classified as a minor, does anyone know when a fix would be ready?

daniel.watrous@trinet.com (JIRA)

unread,
Jun 13, 2018, 9:06:02 AM6/13/18
to jenkinsc...@googlegroups.com

Andy Powell I'm not sure if you're also using Azure AD, but I moved my Jenkins hosts to https://wiki.jenkins.io/display/JENKINS/Azure+AD+Plugin and I haven't had another problem. That other plugin uses OAuth instead of SAML.

apowell@llbean.com (JIRA)

unread,
Jun 13, 2018, 10:04:03 AM6/13/18
to jenkinsc...@googlegroups.com

Thank you Daniel Watrous.  I will give that a try.

ifernandezcalvo@cloudbees.com (JIRA)

unread,
Jun 13, 2018, 10:13:02 AM6/13/18
to jenkinsc...@googlegroups.com

Exists a workaround if you enable Force auth, in any case, I hope the next version resolves all these kind of issues, I will release it in a week or so.

ifernandezcalvo@cloudbees.com (JIRA)

unread,
Jun 13, 2018, 10:42:02 AM6/13/18
to jenkinsc...@googlegroups.com
Ivan Fernandez Calvo closed an issue as Fixed
 

released on SAML Plugin 1.0.6
Change By: Ivan Fernandez Calvo
Status: Open Closed
Resolution: Fixed
Reply all
Reply to author
Forward
0 new messages