Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-57568

Signature is not trusted errors with Azure AD Configuration

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Incomplete
    • Component/s: saml-plugin
    • Labels:
      None
    • Environment:
      Jenkins 2.164.3 LTS
      saml-plugin 1.1.2
    • Similar Issues:

      Description

      Hello - 

      We are having issues when configuring the SAML plugin for Azure AD.  After following the [config guide|https://github.com/jenkinsci/saml-plugin/blob/master/doc/CONFIGURE_AZURE.md] , I'm able to log in via Azure AD/SSO, but then am immediately logged out.

      I'm seeing the following in the Jenkins logs.  I've tried the configuration both with and without Encryption Configuration checked as well.  When checked, I followed the instructions in the help dialog to generate a new keystore and referenced that keystore in the config successfully.  Still getting the same behavior, either way.

       

      Log snippet with exception:

      jenkins_1      | May 20, 2019 5:30:35 PM org.opensaml.core.config.InitializationService initializejenkins_1      | May 20, 2019 5:30:35 PM org.opensaml.core.config.InitializationService initializejenkins_1      | INFO: Initializing OpenSAML using the Java Services APIjenkins_1      | May 20, 2019 5:30:36 PM org.pac4j.saml.metadata.SAML2ServiceProviderMetadataResolver <init>jenkins_1      | INFO: Using SP entity ID https://jenkins-dev.mycompany.comjenkins_1      | May 20, 2019 5:30:36 PM org.pac4j.saml.metadata.SAML2ServiceProviderMetadataResolver resolvejenkins_1      | INFO: Writing sp metadata to /var/jenkins_home/saml-sp-metadata.xmljenkins_1      | May 20, 2019 5:30:36 PM org.pac4j.saml.metadata.SAML2ServiceProviderMetadataResolver resolvejenkins_1      | INFO: Attempting to create directory structure for /var/jenkins_homejenkins_1      | May 20, 2019 5:30:36 PM org.pac4j.saml.metadata.SAML2ServiceProviderMetadataResolver resolvejenkins_1      | WARNING: Could not construct the directory structure for SP metadata /var/jenkins_home/saml-sp-metadata.xmljenkins_1      | May 20, 2019 5:30:36 PM org.apache.xml.security.signature.XMLSignature checkSignatureValuejenkins_1      | WARNING: Signature verification failed.jenkins_1      | May 20, 2019 5:30:36 PM org.apache.xml.security.signature.XMLSignature checkSignatureValuejenkins_1      | WARNING: Signature verification failed.jenkins_1      | May 20, 2019 5:30:36 PM org.apache.xml.security.signature.XMLSignature checkSignatureValuejenkins_1      | WARNING: Signature verification failed.jenkins_1      | May 20, 2019 5:30:36 PM org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator validateSamlSSOResponsejenkins_1      | SEVERE: Current assertion validation failed, continue with the next onejenkins_1      | org.pac4j.saml.exceptions.SAMLException: Signature is not trustedjenkins_1      | at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateSignature(SAML2DefaultResponseValidator.java:689)jenkins_1      | at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateAssertionSignature(SAML2DefaultResponseValidator.java:644)jenkins_1      | at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateAssertion(SAML2DefaultResponseValidator.java:395)jenkins_1      | at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateSamlSSOResponse(SAML2DefaultResponseValidator.java:302)jenkins_1      | at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validate(SAML2DefaultResponseValidator.java:138)jenkins_1      | at org.pac4j.saml.sso.impl.SAML2WebSSOMessageReceiver.receiveMessage(SAML2WebSSOMessageReceiver.java:77)jenkins_1      | at org.pac4j.saml.sso.impl.SAML2WebSSOProfileHandler.receive(SAML2WebSSOProfileHandler.java:35)jenkins_1      | at org.pac4j.saml.client.SAML2Client.retrieveCredentials(SAML2Client.java:225)jenkins_1      | at org.pac4j.saml.client.SAML2Client.retrieveCredentials(SAML2Client.java:60)jenkins_1      | at org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:106)jenkins_1      | at org.jenkinsci.plugins.saml.SamlProfileWrapper.process(SamlProfileWrapper.java:55)jenkins_1      | at org.jenkinsci.plugins.saml.SamlProfileWrapper.process(SamlProfileWrapper.java:35)jenkins_1      | at org.jenkinsci.plugins.saml.OpenSAMLWrapper.get(OpenSAMLWrapper.java:64)jenkins_1      | at org.jenkinsci.plugins.saml.SamlSecurityRealm.doFinishLogin(SamlSecurityRealm.java:312)jenkins_1      | at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)jenkins_1      | at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:396)jenkins_1      | at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:408)jenkins_1      | at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:77)jenkins_1      | at org.kohsuke.stapler.PreInvokeInterceptedFunction.invoke(PreInvokeInterceptedFunction.java:26)jenkins_1      | at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:212)jenkins_1      | at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:145)jenkins_1      | at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:537)jenkins_1      | at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)jenkins_1      | at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:739)jenkins_1      | at org.kohsuke.stapler.Stapler.invoke(Stapler.java:870)jenkins_1      | at org.kohsuke.stapler.MetaClass$2.doDispatch(MetaClass.java:221)jenkins_1      | at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)jenkins_1      | at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:739)jenkins_1      | at org.kohsuke.stapler.Stapler.invoke(Stapler.java:870)jenkins_1      | at org.kohsuke.stapler.Stapler.invoke(Stapler.java:668)jenkins_1      | at org.kohsuke.stapler.Stapler.service(Stapler.java:238)jenkins_1      | at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)jenkins_1      | at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:865)jenkins_1      | at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655)jenkins_1      | at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)jenkins_1      | at org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:243)jenkins_1      | at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)jenkins_1      | at io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134)jenkins_1      | at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)jenkins_1      | at io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:61)jenkins_1      | at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)jenkins_1      | at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:128)jenkins_1      | at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)jenkins_1      | at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157)jenkins_1      | at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)jenkins_1      | at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:64)jenkins_1      | at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)jenkins_1      | at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)jenkins_1      | at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)jenkins_1      | at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)jenkins_1      | at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)jenkins_1      | at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)jenkins_1      | at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)jenkins_1      | at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)jenkins_1      | at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)jenkins_1      | at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)jenkins_1      | at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)jenkins_1      | at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)jenkins_1      | at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)jenkins_1      | at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)jenkins_1      | at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)jenkins_1      | at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)jenkins_1      | at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)jenkins_1      | at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)jenkins_1      | at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)jenkins_1      | at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)jenkins_1      | at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)jenkins_1      | at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)jenkins_1      | at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)jenkins_1      | at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)jenkins_1      | at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)jenkins_1      | at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)jenkins_1      | at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)jenkins_1      | at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)jenkins_1      | at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524)jenkins_1      | at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)jenkins_1      | at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)jenkins_1      | at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)jenkins_1      | at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)jenkins_1      | at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1340)jenkins_1      | at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)jenkins_1      | at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)jenkins_1      | at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)jenkins_1      | at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)jenkins_1      | at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1242)jenkins_1      | at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)jenkins_1      | at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)jenkins_1      | at org.eclipse.jetty.server.Server.handle(Server.java:503)jenkins_1      | at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364)jenkins_1      | at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)jenkins_1      | at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)jenkins_1      | at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)jenkins_1      | at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)jenkins_1      | at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)jenkins_1      | at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)jenkins_1      | at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)jenkins_1      | at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)jenkins_1      | at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)jenkins_1      | at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)jenkins_1      | at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)jenkins_1      | at java.lang.Thread.run(Thread.java:748)jenkins_1      |jenkins_1      | May 20, 2019 5:30:36 PM org.jenkinsci.plugins.saml.SamlSecurityRealm doFinishLogin

       

        Attachments

          Activity

          Hide
          ifernandezcalvo Ivan Fernandez Calvo added a comment -

          This does not look like a bug, it is mostly something wrong in the configuration, for further questions use the google groups no the Jira see [How ro report an issue|https://wiki.jenkins.io/display/JENKINS/How+to+report+an+issue]

          If the signature is not valid probably the SAMLResponse is not valid because the signature does not match, enable verbose log and check the logs see https://github.com/jenkinsci/saml-plugin/blob/master/doc/TROUBLESHOOTING.md 

          Show
          ifernandezcalvo Ivan Fernandez Calvo added a comment - This does not look like a bug, it is mostly something wrong in the configuration, for further questions use the google groups no the Jira see [How ro report an issue| https://wiki.jenkins.io/display/JENKINS/How+to+report+an+issue ] If the signature is not valid probably the SAMLResponse is not valid because the signature does not match, enable verbose log and check the logs see  https://github.com/jenkinsci/saml-plugin/blob/master/doc/TROUBLESHOOTING.md  

            People

            • Assignee:
              ifernandezcalvo Ivan Fernandez Calvo
              Reporter:
              lesterp33 Lester Pimentel
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: