Hello - 

We are having issues when configuring the SAML plugin for Azure AD.  After 
following the config guide 
<https://github.com/jenkinsci/saml-plugin/blob/master/doc/CONFIGURE_AZURE.md> , 
I'm able to log in via Azure AD/SSO, but then am immediately logged out.

I'm seeing the following in the Jenkins logs.  


I've tried the configuration both with and without Encryption Configuration 
checked as well.  When checked, I followed the instructions in the help 
dialog to generate a new keystore and referenced that keystore in the 
config successfully.  Still getting the same behavior, either way.

 

Log snippet with exception:

jenkins_1      | May 20, 2019 5:30:35 PM 
org.opensaml.core.config.InitializationService initialize

jenkins_1      | INFO: Initializing OpenSAML using the Java Services API

jenkins_1      | May 20, 2019 5:30:36 PM 
org.pac4j.saml.metadata.SAML2ServiceProviderMetadataResolver <init>

jenkins_1      | INFO: Using SP entity ID https://jenkins-dev.mycompany.com

jenkins_1      | May 20, 2019 5:30:36 PM 
org.pac4j.saml.metadata.SAML2ServiceProviderMetadataResolver resolve

jenkins_1      | INFO: Writing sp metadata to 
/var/jenkins_home/saml-sp-metadata.xml

jenkins_1      | May 20, 2019 5:30:36 PM 
org.pac4j.saml.metadata.SAML2ServiceProviderMetadataResolver resolve

jenkins_1      | INFO: Attempting to create directory structure for 
/var/jenkins_home

jenkins_1      | May 20, 2019 5:30:36 PM 
org.pac4j.saml.metadata.SAML2ServiceProviderMetadataResolver resolve

jenkins_1      | WARNING: Could not construct the directory structure for 
SP metadata /var/jenkins_home/saml-sp-metadata.xml

jenkins_1      | May 20, 2019 5:30:36 PM 
org.apache.xml.security.signature.XMLSignature checkSignatureValue

jenkins_1      | WARNING: Signature verification failed.

jenkins_1      | May 20, 2019 5:30:36 PM 
org.apache.xml.security.signature.XMLSignature checkSignatureValue

jenkins_1      | WARNING: Signature verification failed.

jenkins_1      | May 20, 2019 5:30:36 PM 
org.apache.xml.security.signature.XMLSignature checkSignatureValue

jenkins_1      | WARNING: Signature verification failed.

jenkins_1      | May 20, 2019 5:30:36 PM 
org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator 
validateSamlSSOResponse

jenkins_1      | SEVERE: Current assertion validation failed, continue with 
the next one

jenkins_1      | org.pac4j.saml.exceptions.SAMLException: Signature is not 
trusted

jenkins_1      | at 
org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateSignature(SAML2DefaultResponseValidator.java:689)

jenkins_1      | at 
org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateAssertionSignature(SAML2DefaultResponseValidator.java:644)

jenkins_1      | at 
org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateAssertion(SAML2DefaultResponseValidator.java:395)

jenkins_1      | at 
org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateSamlSSOResponse(SAML2DefaultResponseValidator.java:302)

jenkins_1      | at 
org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validate(SAML2DefaultResponseValidator.java:138)

jenkins_1      | at 
org.pac4j.saml.sso.impl.SAML2WebSSOMessageReceiver.receiveMessage(SAML2WebSSOMessageReceiver.java:77)

jenkins_1      | at 
org.pac4j.saml.sso.impl.SAML2WebSSOProfileHandler.receive(SAML2WebSSOProfileHandler.java:35)

jenkins_1      | at 
org.pac4j.saml.client.SAML2Client.retrieveCredentials(SAML2Client.java:225)

jenkins_1      | at 
org.pac4j.saml.client.SAML2Client.retrieveCredentials(SAML2Client.java:60)

jenkins_1      | at 
org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:106)

jenkins_1      | at 
org.jenkinsci.plugins.saml.SamlProfileWrapper.process(SamlProfileWrapper.java:55)

jenkins_1      | at 
org.jenkinsci.plugins.saml.SamlProfileWrapper.process(SamlProfileWrapper.java:35)

jenkins_1      | at 
org.jenkinsci.plugins.saml.OpenSAMLWrapper.get(OpenSAMLWrapper.java:64)

jenkins_1      | at 
org.jenkinsci.plugins.saml.SamlSecurityRealm.doFinishLogin(SamlSecurityRealm.java:312)

jenkins_1      | at 
java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)

jenkins_1      | at 
org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:396)

jenkins_1      | at 
org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:408)

jenkins_1      | at 
org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:77)

jenkins_1      | at 
org.kohsuke.stapler.PreInvokeInterceptedFunction.invoke(PreInvokeInterceptedFunction.java:26)

jenkins_1      | at 
org.kohsuke.stapler.Function.bindAndInvoke(Function.java:212)

jenkins_1      | at 
org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:145)

jenkins_1      | at 
org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:537)

jenkins_1      | at 
org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)

jenkins_1      | at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:739)

jenkins_1      | at org.kohsuke.stapler.Stapler.invoke(Stapler.java:870)

jenkins_1      | at 
org.kohsuke.stapler.MetaClass$2.doDispatch(MetaClass.java:221)

jenkins_1      | at 
org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)

jenkins_1      | at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:739)

jenkins_1      | at org.kohsuke.stapler.Stapler.invoke(Stapler.java:870)

jenkins_1      | at org.kohsuke.stapler.Stapler.invoke(Stapler.java:668)

jenkins_1      | at org.kohsuke.stapler.Stapler.service(Stapler.java:238)

jenkins_1      | at 
javax.servlet.http.HttpServlet.service(HttpServlet.java:790)

jenkins_1      | at 
org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:865)

jenkins_1      | at 
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655)

jenkins_1      | at 
hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)

jenkins_1      | at 
org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:243)

jenkins_1      | at 
hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)

jenkins_1      | at 
io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134)

jenkins_1      | at 
hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)

jenkins_1      | at 
io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:61)

jenkins_1      | at 
hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)

jenkins_1      | at 
jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:128)

jenkins_1      | at 
hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)

jenkins_1      | at 
hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157)

jenkins_1      | at 
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)

jenkins_1      | at 
hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:64)

jenkins_1      | at 
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)

jenkins_1      | at 
hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)

jenkins_1      | at 
hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)

jenkins_1      | at 
hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)

jenkins_1      | at 
jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)

jenkins_1      | at 
hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)

jenkins_1      | at 
org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)

jenkins_1      | at 
hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)

jenkins_1      | at 
org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)

jenkins_1      | at 
hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)

jenkins_1      | at 
org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)

jenkins_1      | at 
hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)

jenkins_1      | at 
jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)

jenkins_1      | at 
hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)

jenkins_1      | at 
org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)

jenkins_1      | at 
hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)

jenkins_1      | at 
hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)

jenkins_1      | at 
hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)

jenkins_1      | at 
hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)

jenkins_1      | at 
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)

jenkins_1      | at 
org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)

jenkins_1      | at 
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)

jenkins_1      | at 
hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)

jenkins_1      | at 
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)

jenkins_1      | at 
org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)

jenkins_1      | at 
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)

jenkins_1      | at 
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)

jenkins_1      | at 
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)

jenkins_1      | at 
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524)

jenkins_1      | at 
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)

jenkins_1      | at 
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)

jenkins_1      | at 
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)

jenkins_1      | at 
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)

jenkins_1      | at 
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1340)

jenkins_1      | at 
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)

jenkins_1      | at 
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)

jenkins_1      | at 
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)

jenkins_1      | at 
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)

jenkins_1      | at 
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1242)

jenkins_1      | at 
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)

jenkins_1      | at 
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)

jenkins_1      | at org.eclipse.jetty.server.Server.handle(Server.java:503)

jenkins_1      | at 
org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364)

jenkins_1      | at 
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)

jenkins_1      | at 
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)

jenkins_1      | at 
org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)

jenkins_1      | at 
org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)

jenkins_1      | at 
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)

jenkins_1      | at 
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)

jenkins_1      | at 
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)

jenkins_1      | at 
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)

jenkins_1      | at 
org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)

jenkins_1      | at 
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)

jenkins_1      | at 
org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)

jenkins_1      | at java.lang.Thread.run(Thread.java:748)

jenkins_1      |

jenkins_1      | May 20, 2019 5:30:36 PM 
org.jenkinsci.plugins.saml.SamlSecurityRealm doFinishLogin

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/9baa7929-e4a5-4511-b362-4d54a4054ecb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to