Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-63345

Jenkins SAML SLO fails due to CSRF

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Cannot Reproduce
    • Component/s: saml-plugin
    • Environment:
    • Similar Issues:

      Description

      Once you configure the "Logout URL" field in the SAML plugin and hit the "Logout" button in the Jenkins UI, logout fails with a message:

      HTTP ERROR 403 No valid crumb was included in the request

      I believe this is due to the , now enforced, CSRF protection

      When I disable the SAML plugin and log on with a local Jenkins user, the logout functionality works as expected.

      As a workaround, I have tried to : 

      • Enable/disable the "proxy compatibility" checkbox for the Default Crumb Issuer
      • Add a reverse proxy (Nginx) to my setup in order to redirect the browser to the Identity Provider for Single Log Out
        The problem with this is that we bypass Jenkins' standard logout and I can't figure out how to reset the Jenkins session
      • Install and configure the  Strict Crumb Issuer Plugin which provides more options to customize the crumb validation

      None of the above worked for me. 
      The only thing that did work was to disable the CSRF protection completely. However, this is not a viable workaround for my production Jenkins instance.

      hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION=true

       

      Other issues seem to suggest that this issue is to be resolved by the plugin used.

        Attachments

          Activity

          Hide
          ifernandezcalvo Ivan Fernandez Calvo added a comment -

          I cannot replicate it, I have configured the SAML plugin and a logout URL, after login, I click on the logout button and I am redirected to the logout URL without any issue. This is my test environment https://github.com/kuisathaverat/jenkins-issues/tree/master/JENKINS-63345

          Show
          ifernandezcalvo Ivan Fernandez Calvo added a comment - I cannot replicate it, I have configured the SAML plugin and a logout URL, after login, I click on the logout button and I am redirected to the logout URL without any issue. This is my test environment https://github.com/kuisathaverat/jenkins-issues/tree/master/JENKINS-63345

            People

            • Assignee:
              ifernandezcalvo Ivan Fernandez Calvo
              Reporter:
              chris_dw Chris DeVille
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: