Cannot log in to connected controllers with Operations Center SSO after upgrading to 2.222.4.3

Issue

After upgrading CloudBees Core to 2.222.4.3, users cannot log in to controllers configured with Operations Center SSO. Although Operations Center is accessible, controllers are connected to Operations Center and shown as Online.

The browser fails with a Too many redirects issue, being redirected in a loop to $CONTROLLER_URL/securityRealm/commenceLogin?from=$CONTROLLER_ENCODED_PATH and the controller Jenkins logs show:

  The strict checking of configured Root URL is enabled, but the requested Root URL (<URL derived from the requests) is different from the configured Root URL (<URL configured in global configuraton>). Enforcing the usage of the configured URL by redirecting to it.▼

The controller’s UI shows an error when performing login at $CONTROLLER_URL/securityRealm/commenceLogin?from=$CONTROLLER_ENCODED_PATH:

  This controller Root URL is empty, but is required by Operations Center Single Sign On. Log in with a local user in $CONTROLLER_URL/login or temporarily disable this security restriction in Operations Center. More information in https://cloudbees.com/r/single-sign-on.▼

Environment

CloudBees CI (CloudBees Core) 2.222.4.3 and later
CloudBees CI (CloudBees Core) on modern cloud platforms - Managed controller 2.222.4.3 and later
CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center 2.222.4.3 and later
CloudBees CI (CloudBees Core) on traditional platforms - Client controller 2.222.4.3 and later
CloudBees CI (CloudBees Core) on traditional platforms - Operations Center 2.222.4.3 and later
CloudBees Jenkins Platform - Client controller 2.222.4.3 and later
CloudBees Jenkins Platform - Operations Center 2.222.4.3 and later
Operations Center Context Plugin 2.222.0.4 and later
Operations Center Single Sign-On Plugin 2.222.0.3 and later

Related Issues

CTR-1483: Open Redirect vulnerability in Authentication Mechanism in SSO:
- operations-center-sso:2.222.0.3
- operations-center-context:2.222.0.4

Explanation

Only Connected controllers that are configured with Operations Center SSO (Single Sign On) and that are running version 2.222.4.3 or later might be impacted.

The 2.222.4.3 release of CloudBees Core contains a security fix for an Open Redirect vulnerability in Authentication Mechanism in SSO. This fix introduces a strict check on the controller URL. This is documented at Using Single Sign On (SSO).

The controller URL from the requester should match the URL configured globally in Jenkins:

The configured Jenkins Root URL is the URL configured at Manage Jenkins Configure Jenkins Jenkins Location Jenkins URL.
The URL from the requester is derived from the request information such as X-Forwarded headers.

If those URLs do not match, the checks fails and Operations Center SSO cannot be satisfied.

Resolution

This issue is either due to a misconfiguration of the Jenkins controller URL or a misconfiguration of the reverse proxy / load balancer solutions that are serving it or both:

Make sure the Jenkins URL is properly configured in the controller’s global configuration under Manage Jenkins Configure Jenkins Jenkins Location Jenkins URL.
Make sure the reverse proxy(ies) used in front of Jenkins is(are) properly setting the X-Forwarded headers. See Reverse Proxy troubleshooting guide.

Example

If Jenkins is available at https://core.example.com/master-1 to the users:

The Jenkins Global URL must be configured to https://core.example.com/master-1
The X-Forwarded headers should be set accordingly:
- X-Forwarded-Host: core.example.com
- X-Forwarded-Proto: https
- X-Forwarded-Port: 443

Workaround

Until a resolution path is taken, the strict controller URL check of Operations Center SSO can be disabled as documented in Disabling the verification of the Jenkins Root URL