Issue
-
After upgrading CloudBees Core to 2.222.4.3, users cannot log in to controllers configured with Operations Center SSO. Although Operations Center is accessible, controllers are connected to Operations Center and shown as Online.
-
The browser fails with a Too many redirects issue, being redirected in a loop to
$CONTROLLER_URL/securityRealm/commenceLogin?from=$CONTROLLER_ENCODED_PATH
and the controller Jenkins logs show:The strict checking of configured Root URL is enabled, but the requested Root URL (<URL derived from the requests) is different from the configured Root URL (<URL configured in global configuraton>). Enforcing the usage of the configured URL by redirecting to it.
-
The controller’s UI shows an error when performing login at
$CONTROLLER_URL/securityRealm/commenceLogin?from=$CONTROLLER_ENCODED_PATH
:This controller Root URL is empty, but is required by Operations Center Single Sign On. Log in with a local user in $CONTROLLER_URL/login or temporarily disable this security restriction in Operations Center. More information in https://cloudbees.com/r/single-sign-on.
Environment
-
CloudBees CI (CloudBees Core) 2.222.4.3 and later
-
CloudBees CI (CloudBees Core) on modern cloud platforms - Managed controller 2.222.4.3 and later
-
CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center 2.222.4.3 and later
-
CloudBees CI (CloudBees Core) on traditional platforms - Client controller 2.222.4.3 and later
-
CloudBees CI (CloudBees Core) on traditional platforms - Operations Center 2.222.4.3 and later
-
Operations Center Context Plugin 2.222.0.4 and later
-
Operations Center Single Sign-On Plugin 2.222.0.3 and later
Explanation
Only Connected controllers that are configured with Operations Center SSO (Single Sign On) and that are running version 2.222.4.3 or later might be impacted.
The 2.222.4.3 release of CloudBees Core contains a security fix for an Open Redirect vulnerability in Authentication Mechanism in SSO. This fix introduces a strict check on the controller URL. This is documented at Using Single Sign On (SSO).
The controller URL from the requester should match the URL configured globally in Jenkins:
-
The configured Jenkins Root URL is the URL configured at
. -
The URL from the requester is derived from the request information such as
X-Forwarded
headers.
If those URLs do not match, the checks fails and Operations Center SSO cannot be satisfied.
Resolution
This issue is either due to a misconfiguration of the Jenkins controller URL or a misconfiguration of the reverse proxy / load balancer solutions that are serving it or both:
-
Make sure the Jenkins URL is properly configured in the controller’s global configuration under
. -
Make sure the reverse proxy(ies) used in front of Jenkins is(are) properly setting the
X-Forwarded
headers. See Reverse Proxy troubleshooting guide.
Example
If Jenkins is available at https://core.example.com/master-1
to the users:
-
The Jenkins Global URL must be configured to
https://core.example.com/master-1
-
The
X-Forwarded
headers should be set accordingly:-
X-Forwarded-Host
:core.example.com
-
X-Forwarded-Proto
:https
-
X-Forwarded-Port
:443
-
Workaround
Until a resolution path is taken, the strict controller URL check of Operations Center SSO can be disabled as documented in Disabling the verification of the Jenkins Root URL