Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-49613

SAML Plug org.pac4j.saml.exceptions.SAMLException: No valid subject assertion found in response

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: saml-plugin
    • Labels:
      None
    • Environment:
    • Similar Issues:

      Description

      Every time I try to setup Jenkins with Okta I keep on getting this error:

      org.pac4j.saml.exceptions.SAMLException: No valid subject assertion found in response at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateSamlSSOResponse(SAML2DefaultResponseValidator.java:313) at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validate(SAML2DefaultResponseValidator.java:138) at org.pac4j.saml.sso.impl.SAML2WebSSOMessageReceiver.receiveMessage(SAML2WebSSOMessageReceiver.java:77) at org.pac4j.saml.sso.impl.SAML2WebSSOProfileHandler.receive(SAML2WebSSOProfileHandler.java:35) at org.pac4j.saml.client.SAML2Client.retrieveCredentials(SAML2Client.java:225) at org.pac4j.saml.client.SAML2Client.retrieveCredentials(SAML2Client.java:60) at org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:106) at org.jenkinsci.plugins.saml.SamlProfileWrapper.process(SamlProfileWrapper.java:53) at org.jenkinsci.plugins.saml.SamlProfileWrapper.process(SamlProfileWrapper.java:33) at org.jenkinsci.plugins.saml.OpenSAMLWrapper.get(OpenSAMLWrapper.java:65) at org.jenkinsci.plugins.saml.SamlSecurityRealm.doFinishLogin(SamlSecurityRealm.java:263) at java.lang.invoke.MethodHandle.invokeWithArguments(Unknown Source) at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343) at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:77) at org.kohsuke.stapler.PreInvokeInterceptedFunction.invoke(PreInvokeInterceptedFunction.java:26) at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184) at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117) at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715) Caused: javax.servlet.ServletException at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:765) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845) at org.kohsuke.stapler.MetaClass$3.doDispatch(MetaClass.java:209) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649) at org.kohsuke.stapler.Stapler.service(Stapler.java:238) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:841) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.jenkinsci.plugins.saml.SamlCrumbExclusion.process(SamlCrumbExclusion.java:28) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:73) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84) at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:564) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:317) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124) at org.eclipse.jetty.util.thread.Invocable.invokePreferred(Invocable.java:128) at org.eclipse.jetty.util.thread.Invocable$InvocableExecutor.invoke(Invocable.java:222) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:294) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:199) at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source)
      

       

      My saml token from Okta

      <?xml version="1.0" encoding="UTF-8"?> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://build.darknightsstudio.com/securityRealm/finishLogin" ID="id1638912582897046678258360" InResponseTo="_3akdanptzyjgyteoenhlcu3yelhoib72d61vteg" IssueInstant="2018-02-18T04:10:57.672Z" Version="2.0"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exkpo074lDAWvsg9O2p6 </saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#id1638912582897046678258360"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue> fUs1F5Secmt2D8fPK9EgmxuR6C0GpR8xGE46I1Majuw= </ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>rKYcNzm8MOBr2Nruy/9svjvOG94g1ysAsvt7qhhnCDm7wgI3gvvP7Q8ebHbFVqbSEF3lo3o2IHuFqqThV1mA8n77ldTI1EKU+wn05iV8Alj44GdrX3SFemERl6Z9LgtsSuQICI5qdNGUyJM608IyBPkScIe8EsKTmOTTZOoFibBD/8r5vQNCSqH8exNBZAyH5US/HsO5ZG3LeG/AlEzgnt8hEEwswDaIfudk8Txc9fFeOwsQT6z3a/w33YQf9nNAug+VbZ1sPw/tQuLxtjVtNxhC/nkAHHGBOvIV8Wdh0eMK1Fgt8y8nRhDS84T3dHv9vFrY1YqFBAQc/ gLY35oF5A== </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDsDCCApigAwIBAgIGAWF4WygmMA0GCSqGSIb3DQEBCwUAMIGYMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU MBIGA1UECwwLU1NPUHJvdmlkZXIxGTAXBgNVBAMMEGRhcmtuaWdodHNzdHVkaW8xHDAaBgkqhkiG 9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTgwMjA5MDIxNzE1WhcNMjgwMjA5MDIxODE1WjCBmDEL MAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28x DTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRkwFwYDVQQDDBBkYXJrbmlnaHRz c3R1ZGlvMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEA5zxUTwLm73ObMse8ZqNbTIQnqWx9EhjKGd6bQPI+B+UKOHhcngF8T8xkumq0 Vj0UMx/NK4GlZmNRzVqzeXgjlDaHKvmIFA+TZ14pZdRsGHuxoYlVFkd+cdec+FM+ch86EByZL81x y+ug1iAtCezsAh4WaCKBosI9h3L4RhZroH7tkdUBlia0ihQbtt/K+ur5HYJ9yspPc7rwvp+EU0oh pNnuATJRM/iX1L6QcdseqsTw9zuAzCrrunRoGQQA05iNf/d9hC9vbUGk00yRp9gNMNWGrARfSpup BO5Ki2vRK0JZDB7La6h8Rs0auwViior7tG4bTpQNvCiZmB1juGKsqQIDAQABMA0GCSqGSIb3DQEB CwUAA4IBAQCZwtpWurjDIQMr5IFo50T/E57MOS1PUalE5V3FYHUPJh5V2W4nawHNOnd0uwtimU3J fQmWKmpW6EKPHQuBDCwNzPQ3DGb0mmCe0aX6RQ/ZP9St4+JzcHIEnSbfNn7ezz7WKu/RTB9uqz3D OjLD/Su3rfn7MA913OUg5kjLEti6j0YrVwLoqvtqLABe/92amMxAEP6oOEPr/LnpA8VOHOgSMXaj TCX7iDSGKknSn4qrPGAB/WR4j/dpNgCTx9OHZ1QfyRBEA8iibuRgKng/2wZbwp2aCQGx2jxUcvqM W34gm4ghZHmd45clI5wI0mvQSaM/vZQ1aLnkjCfU5txxumQs</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </saml2p:Status> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="id16389125829226071571052657" IssueInstant="2018-02-18T04:10:57.672Z" Version="2.0"> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/exkpo074lDAWvsg9O2p6 </saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#id16389125829226071571052657"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>mdbS46Og01FruYLqrZ/ yKXHY9Vt6OCZbYoTa1ujNnCU= </ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>xOYw80HhRIi8l9YXp48nVOVCaB3aLbtGeu6P5jrupQ7YWZ47MTWN5VqAHjh0XtekFh6sc1zK/xOHcQr/0uf4kb96W0jboxSeyU5HKJwQAgghavVd9TQwXMB/OXAvaHnjNPB75v7ENq+rbsKJ3AcyIBSLqSWAnPkC8KH7Aomf9r52Y23S/9aTleac+///+nAJJsfF18Yw521WilhHfCGEjnc9yLPSylLYlFgxr0WOwRfTH6iVsXl1Hygif7znW1ABYP1tZ0cI/JuK3cGT9Ef4XEZDaeLbLhN/yOa8esisytQCXuFKpKI/ DG65aZB4qCFGnrooBQ9NcXea3Pzr8hmgdg== </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDsDCCApigAwIBAgIGAWF4WygmMA0GCSqGSIb3DQEBCwUAMIGYMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU MBIGA1UECwwLU1NPUHJvdmlkZXIxGTAXBgNVBAMMEGRhcmtuaWdodHNzdHVkaW8xHDAaBgkqhkiG 9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTgwMjA5MDIxNzE1WhcNMjgwMjA5MDIxODE1WjCBmDEL MAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28x DTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRkwFwYDVQQDDBBkYXJrbmlnaHRz c3R1ZGlvMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEA5zxUTwLm73ObMse8ZqNbTIQnqWx9EhjKGd6bQPI+B+UKOHhcngF8T8xkumq0 Vj0UMx/NK4GlZmNRzVqzeXgjlDaHKvmIFA+TZ14pZdRsGHuxoYlVFkd+cdec+FM+ch86EByZL81x y+ug1iAtCezsAh4WaCKBosI9h3L4RhZroH7tkdUBlia0ihQbtt/K+ur5HYJ9yspPc7rwvp+EU0oh pNnuATJRM/iX1L6QcdseqsTw9zuAzCrrunRoGQQA05iNf/d9hC9vbUGk00yRp9gNMNWGrARfSpup BO5Ki2vRK0JZDB7La6h8Rs0auwViior7tG4bTpQNvCiZmB1juGKsqQIDAQABMA0GCSqGSIb3DQEB CwUAA4IBAQCZwtpWurjDIQMr5IFo50T/E57MOS1PUalE5V3FYHUPJh5V2W4nawHNOnd0uwtimU3J fQmWKmpW6EKPHQuBDCwNzPQ3DGb0mmCe0aX6RQ/ZP9St4+JzcHIEnSbfNn7ezz7WKu/RTB9uqz3D OjLD/Su3rfn7MA913OUg5kjLEti6j0YrVwLoqvtqLABe/92amMxAEP6oOEPr/LnpA8VOHOgSMXaj TCX7iDSGKknSn4qrPGAB/WR4j/dpNgCTx9OHZ1QfyRBEA8iibuRgKng/2wZbwp2aCQGx2jxUcvqM W34gm4ghZHmd45clI5wI0mvQSaM/vZQ1aLnkjCfU5txxumQs</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">mjoye@darknightsstudio.com </saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData InResponseTo="_3akdanptzyjgyteoenhlcu3yelhoib72d61vteg" NotOnOrAfter="2018-02-18T04:15:57.672Z" Recipient="http://build.darknightsstudio.com/securityRealm/finishLogin"/> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2018-02-18T04:05:57.672Z" NotOnOrAfter="2018-02-18T04:15:57.672Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:AudienceRestriction> <saml2:Audience>Jenkins-users</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2018-02-18T04:10:56.199Z" SessionIndex="_3akdanptzyjgyteoenhlcu3yelhoib72d61vteg" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> </saml2:Assertion> </saml2p:Response>
      

        Attachments

          Activity

          Hide
          ifernandezcalvo Ivan Fernandez Calvo added a comment -

          Check that you have configured all fields https://support.cloudbees.com/hc/en-us/articles/115000105752-How-do-I-setup-OKTA-as-Identity-Provider-in-Jenkins-

          Try to enable advanced option force authentication and take a look at the troubleshooting guide there is a known issue with Azure pretty similar

          Also is weird there is no "saml:AttributeStatement" that contains the username and other details.

                  <saml:AttributeStatement>
                      <saml:Attribute Name="urn:mace:dir:attribute-def:uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                          <saml:AttributeValue xsi:type="xs:string">tesla</saml:AttributeValue>
                      </saml:Attribute>
                      <saml:Attribute Name="urn:mace:dir:attribute-def:displayName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                          <saml:AttributeValue xsi:type="xs:string">Tesla</saml:AttributeValue>
                      </saml:Attribute>
                      <saml:Attribute Name="urn:mace:dir:attribute-def:groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                          <saml:AttributeValue xsi:type="xs:string">developer</saml:AttributeValue>
                          <saml:AttributeValue xsi:type="xs:string">browser</saml:AttributeValue>
                      </saml:Attribute>
                      <saml:Attribute Name="urn:mace:dir:attribute-def:mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                          <saml:AttributeValue xsi:type="xs:string">email1@example.com</saml:AttributeValue>
                          <saml:AttributeValue xsi:type="xs:string">email2@example.com</saml:AttributeValue>
                      </saml:Attribute>
                      <saml:Attribute Name="urn:oid:1.3.6.1.4.1.25178.1.2.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                          <saml:AttributeValue xsi:type="xs:string">university.example.org</saml:AttributeValue>
                      </saml:Attribute>
                  </saml:AttributeStatement>
          

          Configure guide

          Show
          ifernandezcalvo Ivan Fernandez Calvo added a comment - Check that you have configured all fields https://support.cloudbees.com/hc/en-us/articles/115000105752-How-do-I-setup-OKTA-as-Identity-Provider-in-Jenkins- Try to enable advanced option force authentication and take a look at the troubleshooting guide there is a known issue with Azure pretty similar Also is weird there is no "saml:AttributeStatement" that contains the username and other details. <saml:AttributeStatement> <saml:Attribute Name= "urn:mace:dir:attribute-def:uid" NameFormat= "urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > <saml:AttributeValue xsi:type= "xs:string" >tesla</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name= "urn:mace:dir:attribute-def:displayName" NameFormat= "urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > <saml:AttributeValue xsi:type= "xs:string" >Tesla</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name= "urn:mace:dir:attribute-def:groups" NameFormat= "urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > <saml:AttributeValue xsi:type= "xs:string" >developer</saml:AttributeValue> <saml:AttributeValue xsi:type= "xs:string" >browser</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name= "urn:mace:dir:attribute-def:mail" NameFormat= "urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > <saml:AttributeValue xsi:type= "xs:string" >email1@example.com</saml:AttributeValue> <saml:AttributeValue xsi:type= "xs:string" >email2@example.com</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name= "urn:oid:1.3.6.1.4.1.25178.1.2.9" NameFormat= "urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > <saml:AttributeValue xsi:type= "xs:string" >university.example.org</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> Configure guide
          Hide
          ifernandezcalvo Ivan Fernandez Calvo added a comment - - edited

          Note: it is very important that the Okta setting "Audience URI (SP Entity ID)" match the Jenkins SAML Plugin's Advanced Setting named "SP Entity ID" and if they do not match you will get an error like this "org.pac4j.saml.exceptions.SamlException: No valid subject assertion found in response"

          that it is your issue, you set the Okta setting "Audience URI (SP Entity ID)" to "Jenkins-users" but you do not change the SAML Plugin's Advanced Setting named "SP Entity ID", so the SP Entity ID is http(s)://$Jenkins_URL/securityRealm/finishLogin. There are two solutions:

          • set SAML Plugin's Advanced Setting named "SP Entity ID" to "Jenkins-users"

          or

          • set Okta setting "Audience URI (SP Entity ID)" to "http(s)://$Jenkins_URL/securityRealm/finishLogin"
          Show
          ifernandezcalvo Ivan Fernandez Calvo added a comment - - edited Note: it is very important that the Okta setting "Audience URI (SP Entity ID)" match the Jenkins SAML Plugin's Advanced Setting named "SP Entity ID" and if they do not match you will get an error like this "org.pac4j.saml.exceptions.SamlException: No valid subject assertion found in response" that it is your issue, you set the Okta setting "Audience URI (SP Entity ID)" to "Jenkins-users" but you do not change the SAML Plugin's Advanced Setting named "SP Entity ID", so the SP Entity ID is http(s)://$Jenkins_URL/securityRealm/finishLogin. There are two solutions: set SAML Plugin's Advanced Setting named "SP Entity ID" to "Jenkins-users" or set Okta setting "Audience URI (SP Entity ID)" to "http(s)://$Jenkins_URL/securityRealm/finishLogin"
          Hide
          mjoye Michael joye added a comment -

          Ivan,

          Thank you very. I am still kinda new to this saml, and guild from cloudbee never said that to change that. Now that i have change that it now works

          Show
          mjoye Michael joye added a comment - Ivan, Thank you very. I am still kinda new to this saml, and guild from cloudbee never said that to change that. Now that i have change that it now works
          Hide
          mjoye Michael joye added a comment -

          Ivan,

          Thank you very. I am still kinda new to this saml, and guild from cloudbee never said that to change that. Now that i have change that it now works

          Show
          mjoye Michael joye added a comment - Ivan, Thank you very. I am still kinda new to this saml, and guild from cloudbee never said that to change that. Now that i have change that it now works

            People

            • Assignee:
              ifernandezcalvo Ivan Fernandez Calvo
              Reporter:
              mjoye Michael joye
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: