Issue
-
We are facing authentication issues using SAML and the Single Sign On Service URL provided by the SAML IdP contains parameters.
Environment
-
CloudBees CI (CloudBees Core) on modern cloud platforms - Managed controller
-
CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center
-
CloudBees CI (CloudBees Core) on traditional platforms - Client controller
-
CloudBees CI (CloudBees Core) on traditional platforms - Operations Center
Resolution
When we use SAML for authenticating users in Jenkins, we need to set the saml-idp-metadata.xml file content inside the SAML plugin configuration using either IdP Metadata or IdP Metadata URL field. Inside this saml-idp-metadata.xml file we have the <SingleSignOnService> tag where the SAML IdP entity put the Service SAML URL.
According to SAML Plugin behavior, this URL (located inside the <SingleSignOnService>) should not contain any parameters, since the SAML plugin will redirect the user to the SAML IdP server using this URL without any parameters. Therefore, if the SAML IdP entity needs those parameters to accomplish correctly the SAML authentication, it will not be possible as those parameters will be removed during the first redirection to the SAML IdP entity.
Unfortunately, this is not an issue that could be solved from the Jenkins side, and you should contact your SAML team to use an alternative URL instead of using those parameters.
This is an example of a URL that would cause this kind of authentication issues:
https://service.saml.idp.entity.url?sp_entity_id=myapp
And this is an example of a URL that would not:
https://service.saml.idp.entity.url/myapp
Once your SAML Team has removed any parameters from the Service SAML IdP URL, a new saml-idp-metadata.xml file should be generated. After that, we should add the new version of the saml-idp-metadata.xml to the SAML plugin configuration from the Jenkins side.