Issue
After changing the configuration under to SAML, it fails, throwing an Angry Jenkins error message. In the logs, I can see the stack trace below that points to an Access Denied at the directory level, but I have corroborated that the permissions are correct.
WARNING: Error while serving $JENKINS_URL/manage/configureSecurity/configure java.lang.reflect.InvocationTargetException at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:401) [...] Caused by: java.lang.LinkageError: Failed to instantiate class org.jenkinsci.plugins.saml.SamlSecurityRealm from {...} at hudson.model.Descriptor.newInstance(Descriptor.java:596) [...] Caused by: java.lang.IllegalArgumentException: java.io.IOException: Can not write IdP metadata file in JENKINS_HOME at org.kohsuke.stapler.RequestImpl.invokeConstructor(RequestImpl.java:619) [...] Caused by: java.nio.file.AccessDeniedException: $SOME_DIRECTORY at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:90) [...]
Resolution
To fix this issue permanently, you have to upgrade the SAML plugin to 4.487.v9f1c3328f1c0 or higher.
Workaround
If you can’t upgrade the SAML plugin release to 4.487.v9f1c3328f1c0 or higher because your current Jenkins release is not compatible and you can’t upgrade Jenkins at the moment, you can just manually generate the required SAML file as shown below.
touch $JENKINS_HOME/saml-idp-metadata.xml
Once it is created in your filesystem, the next time you try to change the Security Realm to SAML from the UI, there should be no error, and the previously created empty file should be overwritten with the values set in the UI.