Re: Jenkins Okta auth

[Ivan Fernandez Calvo]

Hi,

To configure Okta as SAML service you have to follow this 
documentation 
http://developer.okta.com/standards/SAML/setting_up_a_saml_application_in_okta, 
It seems like you did that and have the IdP up and running, you have to set 
these setting in order to make it works

*Single Sign on Url *: 
http://myhostaddress.com:8080/securityRealm/finishLogin
*Use this for Recipient URL and Destination URL*: Checked
*Audience URI (SP Entity ID)*: 
http://myhostaddress.com:8080/securityRealm/finishLogin
*Name ID Fornat* : EmailAdress
*Application username*: Okta username
*Attribute Statements* - I did not specify any here
*Group Attribute Statements*: Name=Group Nameformat=Basic Filtertype=regex 
Filter=.*


Jenkins:
*Security Realm*: SAML 2.0
*IdP Metadata* : Copied from Okta
*Display Name Attribute*: The default of (
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name)
*Group Attribute*: Group
*Username Attribute*: left blank

reviewing you configuration you set Request Binding to HTTP POST, this kind 
of binding it is not yet suppported by SAML Plugin you have to use HTTP 
Redirect Binding



El jueves, 20 de abril de 2017, 10:20:01 (UTC+2), st...@flugel.it escribió:
>
> I'm trying to configure okta with saml jenkins plugin 
> https://wiki.jenkins-ci.org/display/JENKINS/SAML+Plugin
> But getting error Cannot find entity 
> https://www.okta.com/saml2/service-provider/spibofbfpairxsdsimgc or role 
> {urn:oasis:names:tc:SAML:2.0:metadata}
>
> there is my metadata
>  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="
> https://www.okta.com/saml2/service-provider/spibofbfpairxsdsimgc";>  
> AuthnRequestsSigned="true" WantAssertionsSigned="true" 
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">  
> use="encryption">http://www.w3.org/2000/09/xmldsig#
> ">MIIDpDCCAoygAwIBAgIGAVuJmnDlMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
>
> A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
>
> MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi03ODQxMTkxHDAaBgkqhkiG9w0BCQEW
>
> DWluZm9Ab2t0YS5jb20wHhcNMTcwNDIwMDQyMzExWhcNMjcwNDIwMDQyNDExWjCBkjELMAkGA1UE
>
> BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV
>
> BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNzg0MTE5MRwwGgYJ
>
> KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
>
> lfVL/XL9lEftDwzL8oSWGzJq8jAWFdZgRRP0ufz7BcNhIQsUXGKnl5cf29Q7FZ5/nqybu5Pg0M3V
>
> Y3tBgDk8L6wDvsujyCxsZLwmek8jgrAb2Kk3HZY5y0yHkQSKQ2ASUBmvvx10MpYF1hsrPaZ2ZXqk
>
> IbWbI/XmzCsdPnWxRcPZ3AtLl1b0dB5G+vJ3TG2hlcoSHH2+MV3Zv/wRSTskBhsrpDwpHtz5BC7l
>
> gsSvtcd4FC5lCspD1SarZ9jguXCPcUgi7JkKWSYZOHRFFLYraG21CQwlNdb6MgulCTNyfM17i9sq
>
> IXbfIrO8YdGi0YCAoFX04p0tHP0lJbcf6KbNiQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAONbGS
>
> R/E99tsSARjOJQC2RO03jeyamRrUnNZVqL4S9zw49s7P0n9HakJ4Vb8H0aiOvVqNPwrkXmMuwjP7
>
> 9KCHbMDTGogo8CGxSl3bMJ3DNo+A/ecVaI4IgM6y4bCAst6f8EBopj39a7+r69HPU1fzqaPz2Cti
>
> CdZ07QiCt51B52eCU9TzdAdJLB1cCby3GfyAbszyTVS6ZFPoC814XF0K38u6pVz5Ab6dTQ5L1Jho
>
> iD4JTIJFN317io/0UsPwdLak325HjT7ufNxV+cR/zTedIvj8V6GEorfIYtGGUaq8M1xSqmwiJg0o
> YUEZhwOmNNHrRoqSWXGjEDzJKgtP1Fzn  
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/> Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>  
> use="signing">http://www.w3.org/2000/09/xmldsig#
> ">MIIDpDCCAoygAwIBAgIGAVuJmnDlMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
>
> A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
>
> MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi03ODQxMTkxHDAaBgkqhkiG9w0BCQEW
>
> DWluZm9Ab2t0YS5jb20wHhcNMTcwNDIwMDQyMzExWhcNMjcwNDIwMDQyNDExWjCBkjELMAkGA1UE
>
> BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV
>
> BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNzg0MTE5MRwwGgYJ
>
> KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
>
> lfVL/XL9lEftDwzL8oSWGzJq8jAWFdZgRRP0ufz7BcNhIQsUXGKnl5cf29Q7FZ5/nqybu5Pg0M3V
>
> Y3tBgDk8L6wDvsujyCxsZLwmek8jgrAb2Kk3HZY5y0yHkQSKQ2ASUBmvvx10MpYF1hsrPaZ2ZXqk
>
> IbWbI/XmzCsdPnWxRcPZ3AtLl1b0dB5G+vJ3TG2hlcoSHH2+MV3Zv/wRSTskBhsrpDwpHtz5BC7l
>
> gsSvtcd4FC5lCspD1SarZ9jguXCPcUgi7JkKWSYZOHRFFLYraG21CQwlNdb6MgulCTNyfM17i9sq
>
> IXbfIrO8YdGi0YCAoFX04p0tHP0lJbcf6KbNiQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAONbGS
>
> R/E99tsSARjOJQC2RO03jeyamRrUnNZVqL4S9zw49s7P0n9HakJ4Vb8H0aiOvVqNPwrkXmMuwjP7
>
> 9KCHbMDTGogo8CGxSl3bMJ3DNo+A/ecVaI4IgM6y4bCAst6f8EBopj39a7+r69HPU1fzqaPz2Cti
>
> CdZ07QiCt51B52eCU9TzdAdJLB1cCby3GfyAbszyTVS6ZFPoC814XF0K38u6pVz5Ab6dTQ5L1Jho
>
> iD4JTIJFN317io/0UsPwdLak325HjT7ufNxV+cR/zTedIvj8V6GEorfIYtGGUaq8M1xSqmwiJg0o
> YUEZhwOmNNHrRoqSWXGjEDzJKgtP1Fznurn:oasis:names:tc:SAML:1.1:nameid-format:unspecifiedurn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressurn:oasis:names:tc:SAML:2.0:nameid-format:persistenturn:oasis:names:tc:SAML:2.0:nameid-format:transient  
> Binding="urn:oasis:names

Jenkins Okta auth

[stas]

I'm trying to configure okta with saml jenkins plugin 
https://wiki.jenkins-ci.org/display/JENKINS/SAML+Plugin
But getting error Cannot find entity 
https://www.okta.com/saml2/service-provider/spibofbfpairxsdsimgc or role 
{urn:oasis:names:tc:SAML:2.0:metadata}

there is my metadata
https://www.okta.com/saml2/service-provider/spibofbfpairxsdsimgc";>http://www.w3.org/2000/09/xmldsig#";>MIIDpDCCAoygAwIBAgIGAVuJmnDlMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi03ODQxMTkxHDAaBgkqhkiG9w0BCQEW
DWluZm9Ab2t0YS5jb20wHhcNMTcwNDIwMDQyMzExWhcNMjcwNDIwMDQyNDExWjCBkjELMAkGA1UE
BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV
BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNzg0MTE5MRwwGgYJ
KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
lfVL/XL9lEftDwzL8oSWGzJq8jAWFdZgRRP0ufz7BcNhIQsUXGKnl5cf29Q7FZ5/nqybu5Pg0M3V
Y3tBgDk8L6wDvsujyCxsZLwmek8jgrAb2Kk3HZY5y0yHkQSKQ2ASUBmvvx10MpYF1hsrPaZ2ZXqk
IbWbI/XmzCsdPnWxRcPZ3AtLl1b0dB5G+vJ3TG2hlcoSHH2+MV3Zv/wRSTskBhsrpDwpHtz5BC7l
gsSvtcd4FC5lCspD1SarZ9jguXCPcUgi7JkKWSYZOHRFFLYraG21CQwlNdb6MgulCTNyfM17i9sq
IXbfIrO8YdGi0YCAoFX04p0tHP0lJbcf6KbNiQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAONbGS
R/E99tsSARjOJQC2RO03jeyamRrUnNZVqL4S9zw49s7P0n9HakJ4Vb8H0aiOvVqNPwrkXmMuwjP7
9KCHbMDTGogo8CGxSl3bMJ3DNo+A/ecVaI4IgM6y4bCAst6f8EBopj39a7+r69HPU1fzqaPz2Cti
CdZ07QiCt51B52eCU9TzdAdJLB1cCby3GfyAbszyTVS6ZFPoC814XF0K38u6pVz5Ab6dTQ5L1Jho
iD4JTIJFN317io/0UsPwdLak325HjT7ufNxV+cR/zTedIvj8V6GEorfIYtGGUaq8M1xSqmwiJg0o
YUEZhwOmNNHrRoqSWXGjEDzJKgtP1Fznhttp://www.w3.org/2001/04/xmlenc#aes128-cbc"/>http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>http://www.w3.org/2000/09/xmldsig#";>MIIDpDCCAoygAwIBAgIGAVuJmnDlMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi03ODQxMTkxHDAaBgkqhkiG9w0BCQEW
DWluZm9Ab2t0YS5jb20wHhcNMTcwNDIwMDQyMzExWhcNMjcwNDIwMDQyNDExWjCBkjELMAkGA1UE
BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV
BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNzg0MTE5MRwwGgYJ
KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
lfVL/XL9lEftDwzL8oSWGzJq8jAWFdZgRRP0ufz7BcNhIQsUXGKnl5cf29Q7FZ5/nqybu5Pg0M3V
Y3tBgDk8L6wDvsujyCxsZLwmek8jgrAb2Kk3HZY5y0yHkQSKQ2ASUBmvvx10MpYF1hsrPaZ2ZXqk
IbWbI/XmzCsdPnWxRcPZ3AtLl1b0dB5G+vJ3TG2hlcoSHH2+MV3Zv/wRSTskBhsrpDwpHtz5BC7l
gsSvtcd4FC5lCspD1SarZ9jguXCPcUgi7JkKWSYZOHRFFLYraG21CQwlNdb6MgulCTNyfM17i9sq
IXbfIrO8YdGi0YCAoFX04p0tHP0lJbcf6KbNiQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAONbGS
R/E99tsSARjOJQC2RO03jeyamRrUnNZVqL4S9zw49s7P0n9HakJ4Vb8H0aiOvVqNPwrkXmMuwjP7
9KCHbMDTGogo8CGxSl3bMJ3DNo+A/ecVaI4IgM6y4bCAst6f8EBopj39a7+r69HPU1fzqaPz2Cti
CdZ07QiCt51B52eCU9TzdAdJLB1cCby3GfyAbszyTVS6ZFPoC814XF0K38u6pVz5Ab6dTQ5L1Jho
iD4JTIJFN317io/0UsPwdLak325HjT7ufNxV+cR/zTedIvj8V6GEorfIYtGGUaq8M1xSqmwiJg0o
YUEZhwOmNNHrRoqSWXGjEDzJKgtP1Fznurn:oasis:names:tc:SAML:1.1:nameid-format:unspecifiedurn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressurn:oasis:names:tc:SAML:2.0:nameid-format:persistenturn:oasis:names:tc:SAML:2.0:nameid-format:transienthttps://dev-784119.oktapreview.com/sso/saml2/0oaa7zvi6k6kK4Rm00h7"; 
index="0" isDefault="true"/>http://www.w3.org/XML/1998/namespace"; 
xml:lang="en">dev-784119http://www.w3.org/XML/1998/namespace"; 
xml:lang="en">Flugel.it-dev-784119http://www.w3.org/XML/1998/namespace"; 
xml:lang="en">https://flugel.it

in Okta:
SAML PROTOCOL SETTINGS

IdP Issuer URI 
https://ip:8080/securityRealm/finishLogin

IdP Single Sign-On URL 
https://ip:8080/securityRealm/finishLogin

IdP Signature Certificate 
Pub cer for SSL

Request Binding 
HTTP POST

Request Signature

Sign SAML Authentication Requests
Request Signature Algorithm 
SHA-256

Response Signature Verification 
Response or Assertion

Response Signature Algorithm 
SHA-256

Destination 
https://ip:8080/securityRealm/finishLogin
Okta Assertion Consumer Service URL

Trust-specific

Organization (shared)
Max Clock Skew 
2
Minutes

Jenkins running from official docker image with options:
--httpPort=-1 --httpsPort=8080 
--httpsCertificate=/var/lib/jenkins/jenkins.crt 
--httpsPrivateKey=/var/lib/jenkins/jenkins.key

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/76f577db-634b-4b2b-8c49-6f37cba3bb51%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.