SAML Authentication suddenly doesnt work with 'Signature is not trusted'

Article ID:360040081452
1 minute readKnowledge base

Issue

The SAML plugin suddenly fails to authenticate. After enabling additional loggers as indicated in the documentation, one can see:

2019-12-19 09:04:57.524+0000 [id=9] SEVERE o.p.s.s.i.SAML2DefaultResponseValidator#validateSamlSSOResponse: Current assertion validation failed, continue with the next one org.pac4j.saml.exceptions.SAMLException: Signature is not trusted at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateSignature(SAML2DefaultResponseValidator.java:689)

Resolution

The most likely cause for this issue is that the IDP metadata changed on the provider side. The idea is to replace the metadata with the new one. This can only be done from the filesystem as the UI is not accessible anymore (you cannot login).

  • First, download fresh IDP metadata from your provider. Depending on your provider, the naming can differ. Eg for Azure, you need to look for the Federation Metadata (url should look like https://login.microsoftonline.com/<TenantDomainName>/FederationMetadata/2007-06/FederationMetadata.xml).

  • Backup the existing IDP metadata file on Jenkins at ${JENKINS_HOME}/saml-idp-metadata.xml.

  • Replace the content of ${JENKINS_HOME}/saml-idp-metadata.xml with the content of the newly downloaded file from the provider.

  • Finally, restart your Jenkins instance.

Tested product/plugin versions

  • Jenkins 2.190.2.2 with the SAML plugin from the envelope