Issue
The SAML plugin suddenly fails to authenticate. After enabling additional loggers as indicated in the documentation, one can see:
2019-12-19 09:04:57.524+0000 [id=9] SEVERE o.p.s.s.i.SAML2DefaultResponseValidator#validateSamlSSOResponse: Current assertion validation failed, continue with the next one org.pac4j.saml.exceptions.SAMLException: Signature is not trusted at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateSignature(SAML2DefaultResponseValidator.java:689)
Environment
-
CloudBees CI (CloudBees Core) on modern cloud platforms - Managed controller
-
CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center
-
CloudBees CI (CloudBees Core) on traditional platforms - Client controller
-
CloudBees CI (CloudBees Core) on traditional platforms - Operations Center
-
CloudBees Jenkins Enterprise
-
CloudBees Jenkins Enterprise - Managed controller
-
CloudBees Jenkins Enterprise - Operations center
Resolution
The most likely cause for this issue is that the IDP metadata changed on the provider side. The idea is to replace the metadata with the new one. This can only be done from the filesystem as the UI is not accessible anymore (you cannot login).
-
First, download fresh IDP metadata from your provider. Depending on your provider, the naming can differ. Eg for Azure, you need to look for the Federation Metadata (url should look like
https://login.microsoftonline.com/<TenantDomainName>/FederationMetadata/2007-06/FederationMetadata.xml
). -
Backup the existing IDP metadata file on Jenkins at
${JENKINS_HOME}/saml-idp-metadata.xml
. -
Replace the content of
${JENKINS_HOME}/saml-idp-metadata.xml
with the content of the newly downloaded file from the provider. -
Finally, restart your Jenkins instance.