Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-11912

SSO not working

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      I have tried to set up this plugin to get SSO on Jenkins.
      We use it successfully with several applications already: Confluence, Jira, Subversion and Nexus.

      But when I enabled this plugin, I get the log in screen every time I try to access Jenkins.
      I get this when I already have a valid SSO session and can browse between the other SSO-enabled applications. But once I access Jenkins my SSO session is invalidated and I am logged out from all the other applications as well.

      I can then log in to Jenkins, but the SSO session will not work in any of the other SSO-enabled application.

      I see the following in the logs:
      FINE: User is not logged in (anymore) via Crowd => logout user
      Nov 29, 2011 5:41:53 PM de.theit.jenkins.crowd.CrowdRememberMeServices logout
      FINE: Logout user and close SSO session
      Nov 29, 2011 5:41:53 PM de.theit.jenkins.crowd.CrowdServletFilter doFilter

      I can not see from the logs the reason that my session is being invalidated by this plugin, it would be nice with some extra log information.
      It may have something to do with our setup, but this setup works fine with all the other applications;
      All applications are using a separate subdomain e.g: jenkins.mydomain.com, confluence.mydomain.com, jira.mydomain.com

        Attachments

          Activity

          Hide
          jensmartin Jens-Martin Groenne added a comment -

          Problem with proxy configuration in Crowd.

          Show
          jensmartin Jens-Martin Groenne added a comment - Problem with proxy configuration in Crowd.
          Hide
          alig Martin Alig added a comment -

          Hey, I have exactly the same issue here. How did you solve this problem?

          Show
          alig Martin Alig added a comment - Hey, I have exactly the same issue here. How did you solve this problem?
          Hide
          integer Kanstantsin Shautsou added a comment -

          Add jenkins.security, hudson.security, de.theit.jenkins.crowd to logger.

          Show
          integer Kanstantsin Shautsou added a comment - Add jenkins.security, hudson.security, de.theit.jenkins.crowd to logger.
          Hide
          alig Martin Alig added a comment -

          Thanks for the quick response. Here some snippet from the logs:

          Jun 02, 2014 5:34:16 PM FINER hudson.security.SidACL
          hasPermission(PrincipalSID:anonymous,Permission[class hudson.model.Hudson,Read])=>true
          Jun 02, 2014 5:34:16 PM FINE hudson.security.SidACL
          hasPermission(org.acegisecurity.providers.anonymous.AnonymousAuthenticationToken@7ceb1ed7: Username: anonymous; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@957e: RemoteIpAddress: 192.168.188.102; SessionId: null; Granted Authorities: ,Permission[class hudson.model.Hudson,Read])=>true
          Jun 02, 2014 5:34:17 PM FINER hudson.security.SidACL
          hasPermission(PrincipalSID:anonymous,Permission[class hudson.model.Hudson,Administer])=>true
          Jun 02, 2014 5:34:17 PM FINE hudson.security.SidACL
          hasPermission(org.acegisecurity.providers.anonymous.AnonymousAuthenticationToken@7ceb1ed7: Username: anonymous; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@957e: RemoteIpAddress: 192.168.188.102; SessionId: null; Granted Authorities: ,Permission[class hudson.model.Hudson,Administer])=>true
          Jun 02, 2014 5:34:17 PM FINER hudson.security.SidACL
          hasPermission(PrincipalSID:anonymous,Permission[class hudson.model.Hudson,Read])=>true
          Jun 02, 2014 5:34:17 PM FINE hudson.security.SidACL
          hasPermission(org.acegisecurity.providers.anonymous.AnonymousAuthenticationToken@7ceb1ed7: Username: anonymous; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@957e: RemoteIpAddress: 192.168.188.102; SessionId: null; Granted Authorities: ,Permission[class hudson.model.Hudson,Read])=>true
          Jun 02, 2014 5:34:17 PM FINER jenkins.security.ExceptionTranslationFilter
          Chain processed normally
          Jun 02, 2014 5:34:18 PM FINER hudson.security.HudsonFilter doFilter
          ENTRY
          Jun 02, 2014 5:34:18 PM FINE de.theit.jenkins.crowd.CrowdServletFilter
          User is not logged in (anymore) via Crowd => logout user
          Jun 02, 2014 5:34:18 PM FINE de.theit.jenkins.crowd.CrowdRememberMeServices
          Logout user and close SSO session
          Jun 02, 2014 5:34:18 PM FINER hudson.security.HudsonFilter doFilter
          ENTRY
          Jun 02, 2014 5:34:18 PM FINE de.theit.jenkins.crowd.CrowdServletFilter
          User is not logged in (anymore) via Crowd => logout user
          Jun 02, 2014 5:34:18 PM FINE de.theit.jenkins.crowd.CrowdRememberMeServices
          Logout user and close SSO session
          Jun 02, 2014 5:34:18 PM FINER hudson.security.HudsonFilter doFilter
          ENTRY
          Jun 02, 2014 5:34:18 PM FINE de.theit.jenkins.crowd.CrowdServletFilter
          User is not logged in (anymore) via Crowd => logout user
          Jun 02, 2014 5:34:18 PM FINE de.theit.jenkins.crowd.CrowdRememberMeServices
          Logout user and close SSO session
          Jun 02, 2014 5:34:18 PM FINER hudson.security.HudsonFilter doFilter
          ENTRY
          Jun 02, 2014 5:34:18 PM FINE de.theit.jenkins.crowd.CrowdServletFilter
          User is not logged in (anymore) via Crowd => logout user
          Jun 02, 2014 5:34:18 PM FINE de.theit.jenkins.crowd.CrowdRememberMeServices
          Logout user and close SSO session
          Jun 02, 2014 5:34:18 PM FINER hudson.security.HudsonFilter doFilter
          ENTRY
          Jun 02, 2014 5:34:18 PM FINE de.theit.jenkins.crowd.CrowdServletFilter
          User is not logged in (anymore) via Crowd => logout user
          Jun 02, 2014 5:34:18 PM FINE de.theit.jenkins.crowd.CrowdRememberMeServices
          Logout user and close SSO session
          Jun 02, 2014 5:34:18 PM FINER hudson.security.HudsonFilter doFilter
          ENTRY
          Jun 02, 2014 5:34:18 PM FINE de.theit.jenkins.crowd.CrowdServletFilter
          User is not logged in (anymore) via Crowd => logout user
          Jun 02, 2014 5:34:18 PM FINE de.theit.jenkins.crowd.CrowdRememberMeServices
          Logout user and close SSO session
          Jun 02, 2014 5:34:18 PM FINER hudson.security.ChainedServletFilter doFilter
          ENTRY
          Jun 02, 2014 5:34:18 PM FINER de.theit.jenkins.crowd.CrowdRememberMeServices
          Checking whether a SSO token is available...
          Jun 02, 2014 5:34:18 PM FINER jenkins.security.ExceptionTranslationFilter
          Chain processed normally
          Jun 02, 2014 5:34:18 PM FINER hudson.security.HudsonFilter doFilter
          ENTRY
          Jun 02, 2014 5:34:18 PM FINE de.theit.jenkins.crowd.CrowdServletFilter
          User is not logged in (anymore) via Crowd => logout user
          Jun 02, 2014 5:34:18 PM FINE de.theit.jenkins.crowd.CrowdRememberMeServices
          Logout user and close SSO session
          Jun 02, 2014 5:34:18 PM FINER hudson.security.ChainedServletFilter doFilter
          ENTRY

          Show
          alig Martin Alig added a comment - Thanks for the quick response. Here some snippet from the logs: Jun 02, 2014 5:34:16 PM FINER hudson.security.SidACL hasPermission(PrincipalSID:anonymous,Permission [class hudson.model.Hudson,Read] )=>true Jun 02, 2014 5:34:16 PM FINE hudson.security.SidACL hasPermission(org.acegisecurity.providers.anonymous.AnonymousAuthenticationToken@7ceb1ed7: Username: anonymous; Password: [PROTECTED] ; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@957e: RemoteIpAddress: 192.168.188.102; SessionId: null; Granted Authorities: ,Permission [class hudson.model.Hudson,Read] )=>true Jun 02, 2014 5:34:17 PM FINER hudson.security.SidACL hasPermission(PrincipalSID:anonymous,Permission [class hudson.model.Hudson,Administer] )=>true Jun 02, 2014 5:34:17 PM FINE hudson.security.SidACL hasPermission(org.acegisecurity.providers.anonymous.AnonymousAuthenticationToken@7ceb1ed7: Username: anonymous; Password: [PROTECTED] ; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@957e: RemoteIpAddress: 192.168.188.102; SessionId: null; Granted Authorities: ,Permission [class hudson.model.Hudson,Administer] )=>true Jun 02, 2014 5:34:17 PM FINER hudson.security.SidACL hasPermission(PrincipalSID:anonymous,Permission [class hudson.model.Hudson,Read] )=>true Jun 02, 2014 5:34:17 PM FINE hudson.security.SidACL hasPermission(org.acegisecurity.providers.anonymous.AnonymousAuthenticationToken@7ceb1ed7: Username: anonymous; Password: [PROTECTED] ; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@957e: RemoteIpAddress: 192.168.188.102; SessionId: null; Granted Authorities: ,Permission [class hudson.model.Hudson,Read] )=>true Jun 02, 2014 5:34:17 PM FINER jenkins.security.ExceptionTranslationFilter Chain processed normally Jun 02, 2014 5:34:18 PM FINER hudson.security.HudsonFilter doFilter ENTRY Jun 02, 2014 5:34:18 PM FINE de.theit.jenkins.crowd.CrowdServletFilter User is not logged in (anymore) via Crowd => logout user Jun 02, 2014 5:34:18 PM FINE de.theit.jenkins.crowd.CrowdRememberMeServices Logout user and close SSO session Jun 02, 2014 5:34:18 PM FINER hudson.security.HudsonFilter doFilter ENTRY Jun 02, 2014 5:34:18 PM FINE de.theit.jenkins.crowd.CrowdServletFilter User is not logged in (anymore) via Crowd => logout user Jun 02, 2014 5:34:18 PM FINE de.theit.jenkins.crowd.CrowdRememberMeServices Logout user and close SSO session Jun 02, 2014 5:34:18 PM FINER hudson.security.HudsonFilter doFilter ENTRY Jun 02, 2014 5:34:18 PM FINE de.theit.jenkins.crowd.CrowdServletFilter User is not logged in (anymore) via Crowd => logout user Jun 02, 2014 5:34:18 PM FINE de.theit.jenkins.crowd.CrowdRememberMeServices Logout user and close SSO session Jun 02, 2014 5:34:18 PM FINER hudson.security.HudsonFilter doFilter ENTRY Jun 02, 2014 5:34:18 PM FINE de.theit.jenkins.crowd.CrowdServletFilter User is not logged in (anymore) via Crowd => logout user Jun 02, 2014 5:34:18 PM FINE de.theit.jenkins.crowd.CrowdRememberMeServices Logout user and close SSO session Jun 02, 2014 5:34:18 PM FINER hudson.security.HudsonFilter doFilter ENTRY Jun 02, 2014 5:34:18 PM FINE de.theit.jenkins.crowd.CrowdServletFilter User is not logged in (anymore) via Crowd => logout user Jun 02, 2014 5:34:18 PM FINE de.theit.jenkins.crowd.CrowdRememberMeServices Logout user and close SSO session Jun 02, 2014 5:34:18 PM FINER hudson.security.HudsonFilter doFilter ENTRY Jun 02, 2014 5:34:18 PM FINE de.theit.jenkins.crowd.CrowdServletFilter User is not logged in (anymore) via Crowd => logout user Jun 02, 2014 5:34:18 PM FINE de.theit.jenkins.crowd.CrowdRememberMeServices Logout user and close SSO session Jun 02, 2014 5:34:18 PM FINER hudson.security.ChainedServletFilter doFilter ENTRY Jun 02, 2014 5:34:18 PM FINER de.theit.jenkins.crowd.CrowdRememberMeServices Checking whether a SSO token is available... Jun 02, 2014 5:34:18 PM FINER jenkins.security.ExceptionTranslationFilter Chain processed normally Jun 02, 2014 5:34:18 PM FINER hudson.security.HudsonFilter doFilter ENTRY Jun 02, 2014 5:34:18 PM FINE de.theit.jenkins.crowd.CrowdServletFilter User is not logged in (anymore) via Crowd => logout user Jun 02, 2014 5:34:18 PM FINE de.theit.jenkins.crowd.CrowdRememberMeServices Logout user and close SSO session Jun 02, 2014 5:34:18 PM FINER hudson.security.ChainedServletFilter doFilter ENTRY
          Hide
          alig Martin Alig added a comment -

          What is strange, that the oppsite way works. So logging in into Jenkins and then the SSO works for all the other configured applications...
          Could it have something to the with my Apache Proxy Setting?
          Basically how I have it configure is:

          Public Host:

          • Apache Proxy
          • Crowd (Behind Apache)
          • ...

          Internal Host:

          • Jenkins

          And in the Public Host I have the ProxyPass configured like:

          ProxyPass /jenkins http://192.168.178.22:8080/jenkins nocanon
          ProxyPassReverse /jenkins http://192.168.178.22:8080/jenkins

          Show
          alig Martin Alig added a comment - What is strange, that the oppsite way works. So logging in into Jenkins and then the SSO works for all the other configured applications... Could it have something to the with my Apache Proxy Setting? Basically how I have it configure is: Public Host: Apache Proxy Crowd (Behind Apache) ... Internal Host: Jenkins And in the Public Host I have the ProxyPass configured like: ProxyPass /jenkins http://192.168.178.22:8080/jenkins nocanon ProxyPassReverse /jenkins http://192.168.178.22:8080/jenkins
          Hide
          integer Kanstantsin Shautsou added a comment - - edited

          Plus add com.atlassian.crowd to logger
          Filter routine checks auth at https://github.com/jenkinsci/crowd2-plugin/blob/master/src/main/java/de/theit/jenkins/crowd/CrowdServletFilter.java#L139
          Check that SSO domain configured right plus check errors from com.atlassian.crowd library.

          Show
          integer Kanstantsin Shautsou added a comment - - edited Plus add com.atlassian.crowd to logger Filter routine checks auth at https://github.com/jenkinsci/crowd2-plugin/blob/master/src/main/java/de/theit/jenkins/crowd/CrowdServletFilter.java#L139 Check that SSO domain configured right plus check errors from com.atlassian.crowd library.
          Hide
          alig Martin Alig added a comment -

          Thanks for your help. I was able to figure it out inspecting the logs on both sides.
          As Jenkins is running on an internal machine, I had to configure the trusted Proxies in Crowd correctly.

          Show
          alig Martin Alig added a comment - Thanks for your help. I was able to figure it out inspecting the logs on both sides. As Jenkins is running on an internal machine, I had to configure the trusted Proxies in Crowd correctly.

            People

            • Assignee:
              integer Kanstantsin Shautsou
              Reporter:
              jensmartin Jens-Martin Groenne
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: