The SAML plugin automatically generates a keystore in /tmp (when it has not been manually configured otherwise). However, /tmp files are subject to garbage collection; if the keystore is subsequently deleted by a cleanup process (e.g. tmpwatch, systemd-tmpfiles-clean, etc), it will break SAML authentication and require a restart of the Jenkins process.

Being able to specify a path or directory for where to create the autogenerated keystore would solve this problem.

The existing mechanism for specifying a keystore requires configuring the plugin manually with a key password and keystore password. We deploy and manage a fleet of Jenkins instances via Ansible and are limited to configuration options that can be scripted. The automatically generated keystore would be a satisfactory solution if it were not subject to garbage collection.