Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-52201

Connection to Identity Provider fails because ID not sent

    Details

    • Similar Issues:

      Description

      I am trying to setup an SSO connection between Jenkins/SAML Plugin as SP and PingOne as our IDP. After setting up the IDP side and importing its meta data to Jenkins, we encountered a problem: The IDP suddenly requires a verification of the email address which is very unusual.

       

      After some research I found this article:

      https://ping.force.com/Support/Group-Detail/PingOne-Q&A/Feed-Detail/feedId_0D54000002exDErCAM

       

      The article says that the "idpid" is not send to the IDP and therefore IDP is not able to map the request from SP to the specific application.

       

      The meta data received from IDP indeed contains the "IDPID" as shown in following example:

      <md:SingleSignOnService Location="https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=10854xxx-bxxx-4xxx-958b-2af773342f11" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>

      But the request from SP to IDP during login process just ignores or misses to send the IDPID. The SP sends the following URL to IDP:

      https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?SAMLRequest=jVJNb9swDL3vVxi6%2BzNO4wqxg2xFsQLZGiTpDrsMskw76mLKEaWg7a%2Bf6jRYdyl2JMj3%2BPge54un%2FhCcwJDSWLI0SlgAKHWjsCvZw%2B42LNii%2BjQn0R%2BygS%2Bd3eMGjg7IBksiMNbjvmgk14PZgjkpCQ%2BbVcn21g7E4%2FgR8LdCCqWKSDtsHCoLTSR1f2nFBNIZZZ83IA593CpUtF%2FpTiELbvwehcKO4i6URNrjEUHaaPA6VQNoPX4k9c1YNUO83d5Ho%2BiFr1RTpkkxzSdFEtZ1C2HeQB5eT4s6zEQ7m00medamKQtutZEwHlmyVhwIWHB3U7Jf2tHQv2iqB9Okqpso2fXCCn3s98Z1zfHJNfsXUftpWgsidYK%2FeCIHd0hWoC1ZlqRFmFyF2WyXTPm04Nk0Sq6uf7JgbbTVUh8%2BKzyb7wxyLUgRR9EDcSv5dvltxbMo4fV5iPjX3W4dru%2B3u5Hg5K0w3%2F10yQYh88fw1QEW%2FLjEm73G6wNH4udAP94yvEli1Tl%2FPt5i3jN8TCAuH8Kq%2F%2F%2BHefx%2BWfVW%2Fvt71R8%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=m26OTtHdK1sWCurrywHJS%2Bokptdg71B84JOItrj5xObc3SVEvcGjLGCEUgfccmz2Dbq5sA%2FBClc%2B8B4kt9q9%2FZFHZ%2B2%2FD%2Bnw%2BMvyolzQ6HejxCYsgwf0geb%2ByLjg8znQ6bGOg2sTGxxAkokuxwebJOR6idewdZ2C27zTG2MlGXIvLATkFfh75SNWmBeYBOlKj4E%2FZMd3uyguNNGMfyzb36438beLCK1Lwg8bIbAsssz%2B553lW0MZrFlCZ8pwhmZFmYt8L4rPkkxP4t7hFvM36x8pKj6UoZkyWF6HwGxKyGCega9j2pGibT2LMxfSkSzdeuVFQyqRvbRAK9CtNxNRNA%3D%3D

      But the correct URL should look like this:

      https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=10854xxx-bxxx-4xxx-958b-2af773342f11&SAMLRequest=jVJNb9swDL3vVxi6%2BzNO4wqxg2xFsQLZGiTpDrsMskw76mLKEaWg7a%2Bf6jRYdyl2JMj3%2BPge54un%2FhCcwJDSWLI0SlgAKHWjsCvZw%2B42LNii%2BjQn0R%2BygS%2Bd3eMGjg7IBksiMNbjvmgk14PZgjkpCQ%2BbVcn21g7E4%2FgR8LdCCqWKSDtsHCoLTSR1f2nFBNIZZZ83IA593CpUtF%2FpTiELbvwehcKO4i6URNrjEUHaaPA6VQNoPX4k9c1YNUO83d5Ho%2BiFr1RTpkkxzSdFEtZ1C2HeQB5eT4s6zEQ7m00medamKQtutZEwHlmyVhwIWHB3U7Jf2tHQv2iqB9Okqpso2fXCCn3s98Z1zfHJNfsXUftpWgsidYK%2FeCIHd0hWoC1ZlqRFmFyF2WyXTPm04Nk0Sq6uf7JgbbTVUh8%2BKzyb7wxyLUgRR9EDcSv5dvltxbMo4fV5iPjX3W4dru%2B3u5Hg5K0w3%2F10yQYh88fw1QEW%2FLjEm73G6wNH4udAP94yvEli1Tl%2FPt5i3jN8TCAuH8Kq%2F%2F%2BHefx%2BWfVW%2Fvt71R8%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=m26OTtHdK1sWCurrywHJS%2Bokptdg71B84JOItrj5xObc3SVEvcGjLGCEUgfccmz2Dbq5sA%2FBClc%2B8B4kt9q9%2FZFHZ%2B2%2FD%2Bnw%2BMvyolzQ6HejxCYsgwf0geb%2ByLjg8znQ6bGOg2sTGxxAkokuxwebJOR6idewdZ2C27zTG2MlGXIvLATkFfh75SNWmBeYBOlKj4E%2FZMd3uyguNNGMfyzb36438beLCK1Lwg8bIbAsssz%2B553lW0MZrFlCZ8pwhmZFmYt8L4rPkkxP4t7hFvM36x8pKj6UoZkyWF6HwGxKyGCega9j2pGibT2LMxfSkSzdeuVFQyqRvbRAK9CtNxNRNA%3D%3D

      When putting the correct URL into the browser containing the IDPID, then the login succeeds. Second, login succeeds from the IDP side to SP side as well.

       

        Attachments

          Activity

          There are no comments yet on this issue.

            People

            • Assignee:
              ifernandezcalvo Ivan Fernandez Calvo
              Reporter:
              tompf Tom Pfueller
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: