Problems with saml-plugin
50 views
Skip to first unread message
Marcin Szymański
Jan 28, 2020, 5:42:42 AM1/28/20
to Jenkins Users
Hello,
I have a problem with SAML plugin, which doesn't work.
I tried to connect Keycloak with Jenkins, using SAML plugin.
Login works as expected, I can login using keycloak SSO credentials,
but we got a problem with Logout - the error said "Invalid Request" (see screenshot)
We tried with SAML plugin version 1.1.2 and 1.1.4.
This is what my website looks like, which is redirected us by jenkins after clicking on "logout"
https://<link>/keycloak/auth/realms/idesuite/protocol/saml/
I beleive I have configured proper the realm section for Jenkins in Keycloak app, becuase login works OK.
I cannot find proper solution on google, I found only few people had the same problem with Logout.
If you need more information, configuration, etc., don't hesitate to write me back.
Thank you for your time.
Ivan Fernandez Calvo
Jan 28, 2020, 6:37:02 PM1/28/20
to Jenkins Users
Hi,
Could you check in you IdP metadata the values you have in the tag SingleLogoutService? There should be an URL that it is the service to logout
https://github.com/jenkinsci/saml-plugin/blob/master/doc/TROUBLESHOOTING.md#idp-metadata
If for some reason this section is not, you can force the logout URL by setting the Logout URL, see https://github.com/jenkinsci/saml-plugin/blob/master/doc/CONFIGURE.md#configuring-plugin-settings
Message has been deleted
Marcin Szymański
Jan 30, 2020, 6:03:26 AM1/30/20
to Jenkins Users
Hi Ivan,
Thanks for reply.
This is how look like my SingleLogoutService section in IdP metadata.
<SingleLogoutService Location="https://<secretlink>/keycloak/auth/realms/idesuite/protocol/saml" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
I treid also by setting Logout URL in jenkins - same results :/
My settings from Keycloak:
Login Service Redirect Binding URL - https://<link_to_jenkins>/securityRealm/finishLogin
Login Service Redirect Binding URL - https://<link_to_jenkins>/securityRealm/finishLogin
Ivan Fernandez Calvo
Jan 30, 2020, 10:42:26 AM1/30/20
to Jenkins Users
The error you show come from the IdP, Jenkins only make an HTTP redirection to the URL that it is in the configuration, for some reason your IdP tell that the request is incorrect, my guess it is that your IdP does not implement this logout service by HTTP-redirect, or it needs some parameters in the request, because of that it returns an invalid request (probably is an HTTP error code 400). So you have to contact to your IdP and ensure that they implement the SingleLogoutService in that URL and they support `SAML:2.0:bindings:HTTP-Redirect` without any parameter in the URL.
Ivan Fernandez Calvo
Jan 30, 2020, 10:47:59 AM1/30/20
to Jenkins Users
as a workaround, you can set the logout URL to "http://YOUR_JENKINS_URL/securityRealm/finishLogin" this will invalidate the HTTP session for Jenkins but not the SAML token
Ivan Fernandez Calvo
Jan 30, 2020, 10:55:30 AM1/30/20
to Jenkins Users
wrong URL, the good one is https://YOUR_JENKINS_URL/logout
Reply all
Reply to author
Forward
0 new messages