SAML X509 and KeyDescriptor tags missing

52 views
Skip to first unread message

Scott Zollinger

unread,
Oct 29, 2019, 5:19:44 PM10/29/19
to jenkins...@googlegroups.com
Hello,

I just did an update of the SAML plugin from version 1.12 to 1.14. After updating, I noticed that the KeyDescriptor tags as well as the x509 Certificate stored in saml-sp-metadata.xml was removed. Is there a new place to find the x509 Certificate information? It's something needed on our system to sign the SAML response.

-- 
Thanks,
Scott Zollinger

Ivan Fernandez Calvo

unread,
Oct 30, 2019, 3:30:17 PM10/30/19
to Jenkins Users
You have to enable Auth Request Signature setting into encryption settings. Also, keep in mind that if you do not configure a keystore with a certificate you are using an auto generated certificate that it is valid for a year

Auth Request Signature - Enable signature of the Redirect Binding Auth Request, If you enable it the encryption and signing key would available in the SP metadata file and URL (JENKINS_URL/securityRealm/metadata).

Encryption - If your provider requires encryption or signing, you can specify the keystore details here that should be used. If you do not specify a keystore, the plugin would create one with a key that is valid for a year, this key would be recreate when it expires, by default the key is not exposed in the SP metadata if you do not enable signing.

Scott Zollinger

unread,
Oct 31, 2019, 6:52:07 PM10/31/19
to jenkins...@googlegroups.com
Thanks for the information Ivan. That year timeline is something we didn't know about. Could you expand on the keystore information? It was really sparce in the documentation. The main part I want to know about is the private key alias but expanding on all the fields would be helpful.

Ivan Fernandez Calvo

unread,
Nov 1, 2019, 1:15:34 PM11/1/19
to Jenkins Users
You have details of each field in the inline help in th UI, on the encryption inline help you hav all the details

https://github.com/jenkinsci/saml-plugin/blob/master/src/main/webapp/help/encryption.html

Scott Zollinger

unread,
Nov 1, 2019, 5:25:56 PM11/1/19
to jenkins...@googlegroups.com
That link is what I needed. This will help me work out a longer signing than the 1 year. Thanks for your help.

-----Original Message-----
From: Ivan Fernandez Calvo <kuisat...@gmail.com>
To: Jenkins Users <jenkins...@googlegroups.com>
Reply all
Reply to author
Forward
0 new messages