Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-48193

Group based access is not working

    Details

    • Similar Issues:

      Description

      Hi Ivan,

      I am using SAML plugin with combination of PingFederate . I am able to get access when user is directly added in Role but group based access its not working

      I am running jenkins on 2.73.3.

       

      Suspected error snippet.

      Writing sp metadata to /var/jenkins_home/saml-sp-metadata.xml
      Nov 23, 2017 8:35:35 AM INFO org.pac4j.saml.metadata.SAML2ServiceProviderMetadataResolver resolve
      Attempting to create directory structure for /var/jenkins_home
      Nov 23, 2017 8:35:35 AM WARNING org.pac4j.saml.metadata.SAML2ServiceProviderMetadataResolver resolve
      Could not construct the directory structure for SP metadata /var/jenkins_home/saml-sp-metadata.xml

        Attachments

          Issue Links

            Activity

            Hide
            ifernandezcalvo Ivan Fernandez Calvo added a comment -

            the snippet is not related. Did you set the group attribute in the SAML Plugin configuration? Did you check in JENKINS_URL/user/USERNAME if you see the groups assigned to the user? Did you create a group in Jenkins and add an external group with the name of the SAML one?

             

             

            Show
            ifernandezcalvo Ivan Fernandez Calvo added a comment - the snippet is not related. Did you set the group attribute in the SAML Plugin configuration? Did you check in JENKINS_URL/user/USERNAME if you see the groups assigned to the user? Did you create a group in Jenkins and add an external group with the name of the SAML one?    
            Hide
            gaky anil g added a comment -

            Hi Ivan Fernandez Calvo,

            I am able to see Groups in profile(One of group is ALM-ADMIN)

            i have added Role called ADMIN  and i have assigned to ALM-ADMIN group.

            Do you need any stack trace?

             

            Thanks,

            Show
            gaky anil g added a comment - Hi Ivan Fernandez Calvo , I am able to see Groups in profile(One of group is ALM-ADMIN) i have added Role called ADMIN  and i have assigned to ALM-ADMIN group. Do you need any stack trace?   – Thanks,
            Hide
            ifernandezcalvo Ivan Fernandez Calvo added a comment -

            The authorization behavior is tested automaticaly so it works at least with RBAC and Matrix Authorization, you do not provide enough information to replicate the issue, Which authorization plugin do you use? What is it exactly not working? What is the test you did to check that fails?

            How to report an issue 

            https://wiki.jenkins.io/display/JENKINS/Matrix+Authorization+Strategy+Plugin

            https://github.com/jenkinsci/acceptance-test-harness/blob/master/src/test/java/plugins/SAMLPluginTest.java

            Show
            ifernandezcalvo Ivan Fernandez Calvo added a comment - The authorization behavior is tested automaticaly so it works at least with RBAC and Matrix Authorization, you do not provide enough information to replicate the issue, Which authorization plugin do you use? What is it exactly not working? What is the test you did to check that fails? How to report an issue   https://wiki.jenkins.io/display/JENKINS/Matrix+Authorization+Strategy+Plugin https://github.com/jenkinsci/acceptance-test-harness/blob/master/src/test/java/plugins/SAMLPluginTest.java
            Hide
            gaky anil g added a comment - - edited

            Hi Ivan Fernandez Calvo,

            Issue is fixed, thanks for your support

            Root Cause: IDP providing groups like (CN=groupname1 DC= XXXXXX) so jenkins is unable to read group names.

            Resolution: Changed filter in IDP server to send only groupname

             

            Thanks,

            Show
            gaky anil g added a comment - - edited Hi Ivan Fernandez Calvo , Issue is fixed, thanks for your support Root Cause: IDP providing groups like (CN=groupname1 DC= XXXXXX) so jenkins is unable to read group names. Resolution: Changed filter in IDP server to send only groupname   – Thanks,

              People

              • Assignee:
                ifernandezcalvo Ivan Fernandez Calvo
                Reporter:
                gaky anil g
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: