Single Sign-on fallback behavior does not work after upgrading

Article ID:360058867612
2 minute readKnowledge base

Issue

  • After upgrading CloudBees CI to version 2.263.1.2 or later, users can not log in anymore to a Controller when it is disconnected from the Operations Center

  • I am running CloudBees CI 2.263.1.2 or later and users cannot log in anymore to a Controller when it is disconnected from the Operations Center,

  • The Single sign-on fallback behavior stopped working

Explanation

The https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-secure-guide/using-sso#single_sign_on_fallback_behavior[Single sign-on fallback behavior] guarantees that when a Controller is disconnected from Operations Center (if Operations Center is down or restarted), the controller falls back to the same Security Realm configured in Operations Center but run locally - known as the _Offline Security Realm - until the connection to Operations Center is re-established. For this to work, a compatible version of the plugin used as Security Realm must be installed on both Operations Center and the Controllers.

Since version 2.263.1.2, the mechanism that synchronizes the Offline Security Realm configuration locally on the Controllers does not serialize Secrets properly. The Secrets are encrypted with both the Operations Center and the controller key, which causes the Controller to use a wrong Secret value when using the Offline Security Realm for Authentication (when disconnected from Operations Center).

Known impacted Security Realm plugins are the LDAP plugin and the Active Directory plugin that use Secrets for the Bind / Manager DN.

  • BEE-1204: When a controller is disconnected from Operations Center, the offline security realm on controller is broken

Workaround

There is no workaround for this problem other than stabilizing the connection with the Operations Center.

HOWEVER, there are cases when this problem affects the Service that is backing the Jenkins Security Realm (LDAP, Active Directory, …​). For example with Active Directory / LDAP Plugin, this can cause several successive Bind DN authentication failures due to a wrong password, which can cause the Bind DN user to be blocked in Active Directory / LDAP. In such cases, to avoid having a user blocked due to this problem, the workaround is to disable the Security Realm plugin used for a fallback in the controller. For example, if the Security Realm configured in Operations Center is configured using the LDAP plugin, disable the LDAP plugin in the controller(s).

Resolution

Upgrade CloudBees CI to version 2.277.4.2 or later.