Hi, Without the JENKINS_HOME/saml-ipd-metadata.xml and JENKINS_HOME/saml-sp-metadata.xml files, I can not check your configuration, I recommend you to enable verbose log (see https://github.com/jenkinsci/saml-plugin/blob/master/doc/TROUBLESHOOTING.md#troubleshooting) and check how to the SAMLResponse message looks like, Could you attach this info? do not forget to replace sensibly data (URLs, Keys, Certificates)
>I've tried the configuration both with and without Encryption Configuration enabled as well. I am not sure if you are talking about the Jenkins plugin configuration, or Azure SAML service, Jenkins does not manage those settings only provide an autogenerated certificate to use or a custom certificate (Encryption settings). IdPs (Azure) use to have an option to disable signature and encryption, I dunno if Azure has these options. Do you import the certificate in JENKINS_HOME/saml-sp-metadata.xml into Azure configuration? see https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications#review-certificate-expiration-data-status-and-email-notification and https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/manage-certificates-for-federated-single-sign-on ? El martes, 21 de mayo de 2019, 13:24:08 (UTC+2), lesterp escribió: > > Hello - > > > We are having issues when configuring the SAML plugin for Azure AD and > hoping someone can shed some light. After following the config guide > <https://github.com/jenkinsci/saml-plugin/blob/master/doc/CONFIGURE_AZURE.md> > , > I'm able to log in via Azure AD/SSO, but then am immediately logged out. > > > I'm seeing the below error in the Jenkins logs. > > > I've tried the configuration both with and without Encryption > Configuration enabled as well. When enabled, I followed the instructions > in the help dialog to generate a new keystore and referenced that keystore > in the config successfully. Still getting the same behavior, either way. > > > > Log snippet with exception: > jenkins_1 | May 20, 2019 5:30:35 PM > org.opensaml.core.config.InitializationService initialize > jenkins_1 | INFO: Initializing OpenSAML using the Java Services API > jenkins_1 | May 20, 2019 5:30:36 PM > org.pac4j.saml.metadata.SAML2ServiceProviderMetadataResolver <init> > jenkins_1 | INFO: Using SP entity ID > https://jenkins-dev.mycompany.com > jenkins_1 | May 20, 2019 5:30:36 PM > org.pac4j.saml.metadata.SAML2ServiceProviderMetadataResolver resolve > jenkins_1 | INFO: Writing sp metadata to > /var/jenkins_home/saml-sp-metadata.xml > jenkins_1 | May 20, 2019 5:30:36 PM > org.pac4j.saml.metadata.SAML2ServiceProviderMetadataResolver resolve > jenkins_1 | INFO: Attempting to create directory structure for > /var/jenkins_home > jenkins_1 | May 20, 2019 5:30:36 PM > org.pac4j.saml.metadata.SAML2ServiceProviderMetadataResolver resolve > jenkins_1 | WARNING: Could not construct the directory structure for > SP metadata /var/jenkins_home/saml-sp-metadata.xml > jenkins_1 | May 20, 2019 5:30:36 PM > org.apache.xml.security.signature.XMLSignature checkSignatureValue > jenkins_1 | WARNING: Signature verification failed. > jenkins_1 | May 20, 2019 5:30:36 PM > org.apache.xml.security.signature.XMLSignature checkSignatureValue > jenkins_1 | WARNING: Signature verification failed. > jenkins_1 | May 20, 2019 5:30:36 PM > org.apache.xml.security.signature.XMLSignature checkSignatureValue > jenkins_1 | WARNING: Signature verification failed. > jenkins_1 | May 20, 2019 5:30:36 PM > org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator > validateSamlSSOResponse > jenkins_1 | SEVERE: Current assertion validation failed, continue > with the next one > jenkins_1 | org.pac4j.saml.exceptions.SAMLException: Signature is not > trusted > jenkins_1 | at > org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateSignature(SAML2DefaultResponseValidator.java:689) > jenkins_1 | at > org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateAssertionSignature(SAML2DefaultResponseValidator.java:644) > jenkins_1 | at > org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateAssertion(SAML2DefaultResponseValidator.java:395) > jenkins_1 | at > org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateSamlSSOResponse(SAML2DefaultResponseValidator.java:302) > jenkins_1 | at > org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validate(SAML2DefaultResponseValidator.java:138) > jenkins_1 | at > org.pac4j.saml.sso.impl.SAML2WebSSOMessageReceiver.receiveMessage(SAML2WebSSOMessageReceiver.java:77) > jenkins_1 | at > org.pac4j.saml.sso.impl.SAML2WebSSOProfileHandler.receive(SAML2WebSSOProfileHandler.java:35) > jenkins_1 | at > org.pac4j.saml.client.SAML2Client.retrieveCredentials(SAML2Client.java:225) > jenkins_1 | at > org.pac4j.saml.client.SAML2Client.retrieveCredentials(SAML2Client.java:60) > jenkins_1 | at > org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:106) > jenkins_1 | at > org.jenkinsci.plugins.saml.SamlProfileWrapper.process(SamlProfileWrapper.java:55) > jenkins_1 | at > org.jenkinsci.plugins.saml.SamlProfileWrapper.process(SamlProfileWrapper.java:35) > jenkins_1 | at > org.jenkinsci.plugins.saml.OpenSAMLWrapper.get(OpenSAMLWrapper.java:64) > jenkins_1 | at > org.jenkinsci.plugins.saml.SamlSecurityRealm.doFinishLogin(SamlSecurityRealm.java:312) > jenkins_1 | at > java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627) > jenkins_1 | at > org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:396) > jenkins_1 | at > org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:408) > jenkins_1 | at > org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:77) > jenkins_1 | at > org.kohsuke.stapler.PreInvokeInterceptedFunction.invoke(PreInvokeInterceptedFunction.java:26) > jenkins_1 | at > org.kohsuke.stapler.Function.bindAndInvoke(Function.java:212) > jenkins_1 | at > org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:145) > jenkins_1 | at > org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:537) > jenkins_1 | at > org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) > jenkins_1 | at > org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:739) > jenkins_1 | at org.kohsuke.stapler.Stapler.invoke(Stapler.java:870) > jenkins_1 | at > org.kohsuke.stapler.MetaClass$2.doDispatch(MetaClass.java:221) > jenkins_1 | at > org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) > jenkins_1 | at > org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:739) > jenkins_1 | at org.kohsuke.stapler.Stapler.invoke(Stapler.java:870) > jenkins_1 | at org.kohsuke.stapler.Stapler.invoke(Stapler.java:668) > jenkins_1 | at org.kohsuke.stapler.Stapler.service(Stapler.java:238) > jenkins_1 | at > javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > jenkins_1 | at > org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:865) > jenkins_1 | at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655) > jenkins_1 | at > hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154) > jenkins_1 | at > org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:243) > jenkins_1 | at > hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) > jenkins_1 | at > io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134) > jenkins_1 | at > hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) > jenkins_1 | at > io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:61) > jenkins_1 | at > hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) > jenkins_1 | at > jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:128) > jenkins_1 | at > hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) > jenkins_1 | at > hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157) > jenkins_1 | at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) > jenkins_1 | at > hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:64) > jenkins_1 | at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) > jenkins_1 | at > hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84) > jenkins_1 | at > hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) > jenkins_1 | at > hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) > jenkins_1 | at > jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117) > jenkins_1 | at > hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) > jenkins_1 | at > org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) > jenkins_1 | at > hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) > jenkins_1 | at > org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142) > jenkins_1 | at > hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) > jenkins_1 | at > org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271) > jenkins_1 | at > hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) > jenkins_1 | at > jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93) > jenkins_1 | at > hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) > jenkins_1 | at > org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) > jenkins_1 | at > hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) > jenkins_1 | at > hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) > jenkins_1 | at > hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90) > jenkins_1 | at > hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) > jenkins_1 | at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) > jenkins_1 | at > org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) > jenkins_1 | at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) > jenkins_1 | at > hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82) > jenkins_1 | at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) > jenkins_1 | at > org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) > jenkins_1 | at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) > jenkins_1 | at > org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533) > jenkins_1 | at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146) > jenkins_1 | at > org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524) > jenkins_1 | at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) > jenkins_1 | at > org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257) > jenkins_1 | at > org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) > jenkins_1 | at > org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) > jenkins_1 | at > org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1340) > jenkins_1 | at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) > jenkins_1 | at > org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) > jenkins_1 | at > org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) > jenkins_1 | at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) > jenkins_1 | at > org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1242) > jenkins_1 | at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) > jenkins_1 | at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) > jenkins_1 | at > org.eclipse.jetty.server.Server.handle(Server.java:503) > jenkins_1 | at > org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364) > jenkins_1 | at > org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260) > jenkins_1 | at > org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305) > jenkins_1 | at > org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) > jenkins_1 | at > org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118) > jenkins_1 | at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) > jenkins_1 | at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) > jenkins_1 | at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) > jenkins_1 | at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126) > jenkins_1 | at > org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) > jenkins_1 | at > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765) > jenkins_1 | at > org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683) > jenkins_1 | at java.lang.Thread.run(Thread.java:748) > jenkins_1 | > jenkins_1 | May 20, 2019 5:30:36 PM > org.jenkinsci.plugins.saml.SamlSecurityRealm doFinishLogin > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/5bdde95a-f466-4c4c-a0ff-60dca27bcbf0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
