On Manage Jenkins -> Configure global security -> Custom Attributes section I set an arbitrary SAML Attribute. If this attribute is not supplied with the response from Keycloak then I get the NPE attached bellow (And i get an evil jenkins error page, however the login happens after all). This scenario should be handled more gracefully. Maybe even just skipping that one attribute and check for the next.

The NPE points to this line of code.