Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-55809

Missing Logout Url in SAML metadata XML for ADFS

    Details

    • Type: New Feature
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Component/s: saml-plugin
    • Labels:
      None
    • Similar Issues:

      Description

      I used then Metadata URL for ADFS which is working very well, only the entry for the SAML Logout page is missing which is configurable in Jenkins directly. This data are missing in the Metadata XML.

        Attachments

          Activity

          Hide
          ifernandezcalvo Ivan Fernandez Calvo added a comment -

          Can you attach JENKINS_HOME/saml-idp-metadata.xml file? you can remove keys and URLs I want to see the configuration, it should have a `SingleLogoutService` configuration to be able to redirect to someplace, and only redirect method is supported.

          <IDPSSODescriptor>
          
          ....
          
            <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://SAML_SERVER/idp"/>
          </IDPSSODescriptor>
          
          Show
          ifernandezcalvo Ivan Fernandez Calvo added a comment - Can you attach JENKINS_HOME/saml-idp-metadata.xml file? you can remove keys and URLs I want to see the configuration, it should have a `SingleLogoutService` configuration to be able to redirect to someplace, and only redirect method is supported. <IDPSSODescriptor> .... <SingleLogoutService Binding= "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location= "https: //SAML_SERVER/idp" /> </IDPSSODescriptor>
          Hide
          chrisro Christian Rohr added a comment -

          I uploaded the file I removed secrets and replaced by [...]. Thank you in advance

          Show
          chrisro Christian Rohr added a comment - I uploaded the file I removed secrets and replaced by [...] . Thank you in advance
          Hide
          ifernandezcalvo Ivan Fernandez Calvo added a comment -

          I reviewed the code and the SingleLogoutService is never loaded from the IdP metadata, it is not implemented, so it is a new feature to implement.

          Show
          ifernandezcalvo Ivan Fernandez Calvo added a comment - I reviewed the code and the SingleLogoutService is never loaded from the IdP metadata, it is not implemented, so it is a new feature to implement.
          Hide
          jesse19 Jesse Borden added a comment - - edited

          I can't add screenshots to the ADFS configuration example, but the Jenkins side of it is not very clear. I am attaching screenshots that might improve those instructions here:

          https://github.com/jenkinsci/saml-plugin/blob/master/doc/ADFS_CONFIG.md

          Add this to the Jenkins Side

          I think some people like me, screw up the Redirect part and set it to post inadvertently, and I reached a blind conclusion that the logout was broken. It's not really.

           

           

           

          Add this to the Windows Server side

          It shows the logout url being mirrored in both the Jenkins and the ADFS configuration.

          Show
          jesse19 Jesse Borden added a comment - - edited I can't add screenshots to the ADFS configuration example, but the Jenkins side of it is not very clear. I am attaching screenshots that might improve those instructions here: https://github.com/jenkinsci/saml-plugin/blob/master/doc/ADFS_CONFIG.md Add this to the Jenkins Side I think some people like me, screw up the Redirect part and set it to post inadvertently, and I reached a blind conclusion that the logout was broken. It's not really.       Add this to the Windows Server side It shows the logout url being mirrored in both the Jenkins and the ADFS configuration.
          Hide
          ifernandezcalvo Ivan Fernandez Calvo added a comment -

          Thx Jesse Borden I'll add your comments to the guide

          Show
          ifernandezcalvo Ivan Fernandez Calvo added a comment - Thx Jesse Borden I'll add your comments to the guide
          Hide
          jesse19 Jesse Borden added a comment -

          I guess that wa=wsignout1.0 is only for WS-Federation, so it says it works, but it might be lying, because navigating back to url and even closing the browser and going back sometimes doesn't prompt for re-authentication. I'm trying to see if there is a way to just force authentication every time as a workaround until you fix this. No luck yet, but it does seem to get a new SAML request id.

          Show
          jesse19 Jesse Borden added a comment - I guess that wa=wsignout1.0 is only for WS-Federation, so it says it works, but it might be lying, because navigating back to url and even closing the browser and going back sometimes doesn't prompt for re-authentication. I'm trying to see if there is a way to just force authentication every time as a workaround until you fix this. No luck yet, but it does seem to get a new SAML request id.

            People

            • Assignee:
              ifernandezcalvo Ivan Fernandez Calvo
              Reporter:
              chrisro Christian Rohr
            • Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: