Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-61917

Remove Signature and SigAlg from SAML Request

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Postponed
    • Component/s: saml-plugin
    • Labels:
    • Environment:
      Jenkins 2.230, SAML Plugin 1.1.5, java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64
    • Similar Issues:

      Description

       

      We are unable to get the plugin working with any of the 1.X releases, and have been version locked at 0.14. I've noticed that the SAML request sent by Jenkins in the 1.1.5 version now contains a block with a signature at the end, which our IdP team has identified as the root cause of the issue. I've tried toggling plugin settings but there does not seem to be a way to remove the SigAlg and Signature from the request. The only workaround we've found is to downgrade the plugin to 0.14.

      Is there a way to remove this block from the request in version 1.1.5?

        Attachments

          Issue Links

            Activity

            Hide
            ifernandezcalvo Ivan Fernandez Calvo added a comment -

            the IdP configuration is correct

            IDPSSODescriptor WantAuthnRequestsSigned="false"

            does not request signature, and the SP configuration is also correct

            <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" 

            looks also correct, Jenkins should not signed the request and request the asserttion signed. I will reopen the issue and take a look on a test environment.

            Show
            ifernandezcalvo Ivan Fernandez Calvo added a comment - the IdP configuration is correct IDPSSODescriptor WantAuthnRequestsSigned= " false " does not request signature, and the SP configuration is also correct <md:SPSSODescriptor AuthnRequestsSigned= " false " WantAssertionsSigned= " true " looks also correct, Jenkins should not signed the request and request the asserttion signed. I will reopen the issue and take a look on a test environment.
            Hide
            jayblake Jonathan Blake added a comment -

            Thank you Ivan Fernandez Calvo, I'll continue to monitor this ticket. Please let me know if there's any other information you need.

            Show
            jayblake Jonathan Blake added a comment - Thank you Ivan Fernandez Calvo , I'll continue to monitor this ticket. Please let me know if there's any other information you need.
            Hide
            ifernandezcalvo Ivan Fernandez Calvo added a comment -

            I can confirm that the disable signing setting does not work with redirect binding, It is a long history that drove me crazy a long time ago when I updated the library. So in the version we use of pac4j `forceSignRedirectBindingAuthnRequest` and `authnRequestSigned` do not work as expected. Indeed it is not possible to change the value of authnRequestSigned, I've to extend the class to overwrite the `isAuthnRequestSigned()` method and add a `setAuthnRequestSigned()` method, but this workaround only works with POST binding. It is not possible to upgrade the library again because it uses a newer version of Sprint and Jenkins Core uses an old one. So the only solution is to stop using pac4j library, and use OpenSAML library directly, but this is a reimplementation of the plugin.
            I will document it and come back to it when I'll change the library.

            Show
            ifernandezcalvo Ivan Fernandez Calvo added a comment - I can confirm that the disable signing setting does not work with redirect binding, It is a long history that drove me crazy a long time ago when I updated the library. So in the version we use of pac4j `forceSignRedirectBindingAuthnRequest` and `authnRequestSigned` do not work as expected. Indeed it is not possible to change the value of authnRequestSigned, I've to extend the class to overwrite the `isAuthnRequestSigned()` method and add a `setAuthnRequestSigned()` method, but this workaround only works with POST binding. It is not possible to upgrade the library again because it uses a newer version of Sprint and Jenkins Core uses an old one. So the only solution is to stop using pac4j library, and use OpenSAML library directly, but this is a reimplementation of the plugin. I will document it and come back to it when I'll change the library.
            Hide
            jayblake Jonathan Blake added a comment -

            Ivan Fernandez Calvo I appreciate you looking into this. What is the timetable for changing the core library? I'm trying to determine if my team should continue with the deprecated version of the plugin or maybe pursue another auth method for the time being.

            Show
            jayblake Jonathan Blake added a comment - Ivan Fernandez Calvo  I appreciate you looking into this. What is the timetable for changing the core library? I'm trying to determine if my team should continue with the deprecated version of the plugin or maybe pursue another auth method for the time being.
            Hide
            ifernandezcalvo Ivan Fernandez Calvo added a comment -

            >I appreciate you looking into this. What is the timetable for changing the core library?

            not soon, I do not have a start date to make it.

            Show
            ifernandezcalvo Ivan Fernandez Calvo added a comment - >I appreciate you looking into this. What is the timetable for changing the core library? not soon, I do not have a start date to make it.

              People

              • Assignee:
                ifernandezcalvo Ivan Fernandez Calvo
                Reporter:
                jayblake Jonathan Blake
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: