Hello -
We are having issues when configuring the SAML plugin for Azure AD. After following the config guide <https://github.com/jenkinsci/saml-plugin/blob/master/doc/CONFIGURE_AZURE.md> , I'm able to log in via Azure AD/SSO, but then am immediately logged out. I'm seeing the following in the Jenkins logs. I've tried the configuration both with and without Encryption Configuration checked as well. When checked, I followed the instructions in the help dialog to generate a new keystore and referenced that keystore in the config successfully. Still getting the same behavior, either way. Log snippet with exception: jenkins_1 | May 20, 2019 5:30:35 PM org.opensaml.core.config.InitializationService initialize jenkins_1 | INFO: Initializing OpenSAML using the Java Services API jenkins_1 | May 20, 2019 5:30:36 PM org.pac4j.saml.metadata.SAML2ServiceProviderMetadataResolver <init> jenkins_1 | INFO: Using SP entity ID https://jenkins-dev.mycompany.com jenkins_1 | May 20, 2019 5:30:36 PM org.pac4j.saml.metadata.SAML2ServiceProviderMetadataResolver resolve jenkins_1 | INFO: Writing sp metadata to /var/jenkins_home/saml-sp-metadata.xml jenkins_1 | May 20, 2019 5:30:36 PM org.pac4j.saml.metadata.SAML2ServiceProviderMetadataResolver resolve jenkins_1 | INFO: Attempting to create directory structure for /var/jenkins_home jenkins_1 | May 20, 2019 5:30:36 PM org.pac4j.saml.metadata.SAML2ServiceProviderMetadataResolver resolve jenkins_1 | WARNING: Could not construct the directory structure for SP metadata /var/jenkins_home/saml-sp-metadata.xml jenkins_1 | May 20, 2019 5:30:36 PM org.apache.xml.security.signature.XMLSignature checkSignatureValue jenkins_1 | WARNING: Signature verification failed. jenkins_1 | May 20, 2019 5:30:36 PM org.apache.xml.security.signature.XMLSignature checkSignatureValue jenkins_1 | WARNING: Signature verification failed. jenkins_1 | May 20, 2019 5:30:36 PM org.apache.xml.security.signature.XMLSignature checkSignatureValue jenkins_1 | WARNING: Signature verification failed. jenkins_1 | May 20, 2019 5:30:36 PM org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator validateSamlSSOResponse jenkins_1 | SEVERE: Current assertion validation failed, continue with the next one jenkins_1 | org.pac4j.saml.exceptions.SAMLException: Signature is not trusted jenkins_1 | at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateSignature(SAML2DefaultResponseValidator.java:689) jenkins_1 | at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateAssertionSignature(SAML2DefaultResponseValidator.java:644) jenkins_1 | at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateAssertion(SAML2DefaultResponseValidator.java:395) jenkins_1 | at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateSamlSSOResponse(SAML2DefaultResponseValidator.java:302) jenkins_1 | at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validate(SAML2DefaultResponseValidator.java:138) jenkins_1 | at org.pac4j.saml.sso.impl.SAML2WebSSOMessageReceiver.receiveMessage(SAML2WebSSOMessageReceiver.java:77) jenkins_1 | at org.pac4j.saml.sso.impl.SAML2WebSSOProfileHandler.receive(SAML2WebSSOProfileHandler.java:35) jenkins_1 | at org.pac4j.saml.client.SAML2Client.retrieveCredentials(SAML2Client.java:225) jenkins_1 | at org.pac4j.saml.client.SAML2Client.retrieveCredentials(SAML2Client.java:60) jenkins_1 | at org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:106) jenkins_1 | at org.jenkinsci.plugins.saml.SamlProfileWrapper.process(SamlProfileWrapper.java:55) jenkins_1 | at org.jenkinsci.plugins.saml.SamlProfileWrapper.process(SamlProfileWrapper.java:35) jenkins_1 | at org.jenkinsci.plugins.saml.OpenSAMLWrapper.get(OpenSAMLWrapper.java:64) jenkins_1 | at org.jenkinsci.plugins.saml.SamlSecurityRealm.doFinishLogin(SamlSecurityRealm.java:312) jenkins_1 | at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627) jenkins_1 | at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:396) jenkins_1 | at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:408) jenkins_1 | at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:77) jenkins_1 | at org.kohsuke.stapler.PreInvokeInterceptedFunction.invoke(PreInvokeInterceptedFunction.java:26) jenkins_1 | at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:212) jenkins_1 | at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:145) jenkins_1 | at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:537) jenkins_1 | at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) jenkins_1 | at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:739) jenkins_1 | at org.kohsuke.stapler.Stapler.invoke(Stapler.java:870) jenkins_1 | at org.kohsuke.stapler.MetaClass$2.doDispatch(MetaClass.java:221) jenkins_1 | at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) jenkins_1 | at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:739) jenkins_1 | at org.kohsuke.stapler.Stapler.invoke(Stapler.java:870) jenkins_1 | at org.kohsuke.stapler.Stapler.invoke(Stapler.java:668) jenkins_1 | at org.kohsuke.stapler.Stapler.service(Stapler.java:238) jenkins_1 | at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) jenkins_1 | at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:865) jenkins_1 | at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655) jenkins_1 | at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154) jenkins_1 | at org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:243) jenkins_1 | at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) jenkins_1 | at io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134) jenkins_1 | at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) jenkins_1 | at io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:61) jenkins_1 | at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) jenkins_1 | at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:128) jenkins_1 | at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) jenkins_1 | at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157) jenkins_1 | at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) jenkins_1 | at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:64) jenkins_1 | at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) jenkins_1 | at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84) jenkins_1 | at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) jenkins_1 | at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) jenkins_1 | at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117) jenkins_1 | at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) jenkins_1 | at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) jenkins_1 | at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) jenkins_1 | at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142) jenkins_1 | at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) jenkins_1 | at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271) jenkins_1 | at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) jenkins_1 | at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93) jenkins_1 | at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) jenkins_1 | at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) jenkins_1 | at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) jenkins_1 | at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) jenkins_1 | at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90) jenkins_1 | at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) jenkins_1 | at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) jenkins_1 | at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) jenkins_1 | at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) jenkins_1 | at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82) jenkins_1 | at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) jenkins_1 | at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) jenkins_1 | at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) jenkins_1 | at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533) jenkins_1 | at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146) jenkins_1 | at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524) jenkins_1 | at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) jenkins_1 | at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257) jenkins_1 | at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) jenkins_1 | at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) jenkins_1 | at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1340) jenkins_1 | at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) jenkins_1 | at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) jenkins_1 | at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) jenkins_1 | at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) jenkins_1 | at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1242) jenkins_1 | at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) jenkins_1 | at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) jenkins_1 | at org.eclipse.jetty.server.Server.handle(Server.java:503) jenkins_1 | at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364) jenkins_1 | at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260) jenkins_1 | at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305) jenkins_1 | at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) jenkins_1 | at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118) jenkins_1 | at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) jenkins_1 | at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) jenkins_1 | at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) jenkins_1 | at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126) jenkins_1 | at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) jenkins_1 | at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765) jenkins_1 | at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683) jenkins_1 | at java.lang.Thread.run(Thread.java:748) jenkins_1 | jenkins_1 | May 20, 2019 5:30:36 PM org.jenkinsci.plugins.saml.SamlSecurityRealm doFinishLogin -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/9baa7929-e4a5-4511-b362-4d54a4054ecb%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
