Skip to content

[JENKINS-52201] Connection to Identity Provider fails because ID not sent #651

Open
Bug
Open
[JENKINS-52201] Connection to Identity Provider fails because ID not sent#651
Bug
Labels
component:saml-pluginimported-jira-issuepriority:majorresolution:unresolved
@jenkins-infra-bot

Description

@jenkins-infra-bot
jenkins-infra-bot
opened on Jun 27, 2018

I am trying to setup an SSO connection between Jenkins/SAML Plugin as SP and PingOne as our IDP. After setting up the IDP side and importing its meta data to Jenkins, we encountered a problem: The IDP suddenly requires a verification of the email address which is very unusual.

 

After some research I found this article:

https://ping.force.com/Support/Group-Detail/PingOne-Q&A/Feed-Detail/feedId_0D54000002exDErCAM

 

The article says that the "idpid" is not send to the IDP and therefore IDP is not able to map the request from SP to the specific application.

 

The meta data received from IDP indeed contains the "IDPID" as shown in following example:

But the request from SP to IDP during login process just ignores or misses to send the IDPID. The SP sends the following URL to IDP:

https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?SAMLRequest=jVJNb9swDL3vVxi6%2BzNO4wqxg2xFsQLZGiTpDrsMskw76mLKEaWg7a%2Bf6jRYdyl2JMj3%2BPge54un%2FhCcwJDSWLI0SlgAKHWjsCvZw%2B42LNii%2BjQn0R%2BygS%2Bd3eMGjg7IBksiMNbjvmgk14PZgjkpCQ%2BbVcn21g7E4%2FgR8LdCCqWKSDtsHCoLTSR1f2nFBNIZZZ83IA593CpUtF%2FpTiELbvwehcKO4i6URNrjEUHaaPA6VQNoPX4k9c1YNUO83d5Ho%2BiFr1RTpkkxzSdFEtZ1C2HeQB5eT4s6zEQ7m00medamKQtutZEwHlmyVhwIWHB3U7Jf2tHQv2iqB9Okqpso2fXCCn3s98Z1zfHJNfsXUftpWgsidYK%2FeCIHd0hWoC1ZlqRFmFyF2WyXTPm04Nk0Sq6uf7JgbbTVUh8%2BKzyb7wxyLUgRR9EDcSv5dvltxbMo4fV5iPjX3W4dru%2B3u5Hg5K0w3%2F10yQYh88fw1QEW%2FLjEm73G6wNH4udAP94yvEli1Tl%2FPt5i3jN8TCAuH8Kq%2F%2F%2BHefx%2BWfVW%2Fvt71R8%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=m26OTtHdK1sWCurrywHJS%2Bokptdg71B84JOItrj5xObc3SVEvcGjLGCEUgfccmz2Dbq5sA%2FBClc%2B8B4kt9q9%2FZFHZ%2B2%2FD%2Bnw%2BMvyolzQ6HejxCYsgwf0geb%2ByLjg8znQ6bGOg2sTGxxAkokuxwebJOR6idewdZ2C27zTG2MlGXIvLATkFfh75SNWmBeYBOlKj4E%2FZMd3uyguNNGMfyzb36438beLCK1Lwg8bIbAsssz%2B553lW0MZrFlCZ8pwhmZFmYt8L4rPkkxP4t7hFvM36x8pKj6UoZkyWF6HwGxKyGCega9j2pGibT2LMxfSkSzdeuVFQyqRvbRAK9CtNxNRNA%3D%3D

But the correct URL should look like this:

https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=10854xxx-bxxx-4xxx-958b-2af773342f11&SAMLRequest=jVJNb9swDL3vVxi6%2BzNO4wqxg2xFsQLZGiTpDrsMskw76mLKEaWg7a%2Bf6jRYdyl2JMj3%2BPge54un%2FhCcwJDSWLI0SlgAKHWjsCvZw%2B42LNii%2BjQn0R%2BygS%2Bd3eMGjg7IBksiMNbjvmgk14PZgjkpCQ%2BbVcn21g7E4%2FgR8LdCCqWKSDtsHCoLTSR1f2nFBNIZZZ83IA593CpUtF%2FpTiELbvwehcKO4i6URNrjEUHaaPA6VQNoPX4k9c1YNUO83d5Ho%2BiFr1RTpkkxzSdFEtZ1C2HeQB5eT4s6zEQ7m00medamKQtutZEwHlmyVhwIWHB3U7Jf2tHQv2iqB9Okqpso2fXCCn3s98Z1zfHJNfsXUftpWgsidYK%2FeCIHd0hWoC1ZlqRFmFyF2WyXTPm04Nk0Sq6uf7JgbbTVUh8%2BKzyb7wxyLUgRR9EDcSv5dvltxbMo4fV5iPjX3W4dru%2B3u5Hg5K0w3%2F10yQYh88fw1QEW%2FLjEm73G6wNH4udAP94yvEli1Tl%2FPt5i3jN8TCAuH8Kq%2F%2F%2BHefx%2BWfVW%2Fvt71R8%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=m26OTtHdK1sWCurrywHJS%2Bokptdg71B84JOItrj5xObc3SVEvcGjLGCEUgfccmz2Dbq5sA%2FBClc%2B8B4kt9q9%2FZFHZ%2B2%2FD%2Bnw%2BMvyolzQ6HejxCYsgwf0geb%2ByLjg8znQ6bGOg2sTGxxAkokuxwebJOR6idewdZ2C27zTG2MlGXIvLATkFfh75SNWmBeYBOlKj4E%2FZMd3uyguNNGMfyzb36438beLCK1Lwg8bIbAsssz%2B553lW0MZrFlCZ8pwhmZFmYt8L4rPkkxP4t7hFvM36x8pKj6UoZkyWF6HwGxKyGCega9j2pGibT2LMxfSkSzdeuVFQyqRvbRAK9CtNxNRNA%3D%3D

When putting the correct URL into the browser containing the IDPID, then the login succeeds. Second, login succeeds from the IDP side to SP side as well.

 

Originally reported by tompf, imported from: Connection to Identity Provider fails because ID not sent
  • status: Open
  • priority: Major
  • component(s): saml-plugin
  • label(s): SAML, SAML2, SSO
  • resolution: Unresolved
  • votes: 0
  • watchers: 1
  • imported: 20260109-084319
Raw content of original issue 
I am trying to setup an SSO connection between Jenkins/SAML Plugin as SP and PingOne as our IDP. After setting up the IDP side and importing its meta data to Jenkins, we encountered a problem: The IDP suddenly requires a verification of the email address which is very unusual.



 



After some research I found this article:



https://ping.force.com/Support/Group-Detail/PingOne-Q&A/Feed-Detail/feedId_0D54000002exDErCAM



 



The article says that the "idpid" is not send to the IDP and therefore IDP is not able to map the request from SP to the specific application.



 



The meta data received from IDP indeed contains the "IDPID" as shown in following example:



<md:SingleSignOnService Location="https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=10854xxx-bxxx-4xxx-958b-2af773342f11" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>




But the request from SP to IDP during login process just ignores or misses to send the IDPID. The SP sends the following URL to IDP:



https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?SAMLRequest=jVJNb9swDL3vVxi6%2BzNO4wqxg2xFsQLZGiTpDrsMskw76mLKEaWg7a%2Bf6jRYdyl2JMj3%2BPge54un%2FhCcwJDSWLI0SlgAKHWjsCvZw%2B42LNii%2BjQn0R%2BygS%2Bd3eMGjg7IBksiMNbjvmgk14PZgjkpCQ%2BbVcn21g7E4%2FgR8LdCCqWKSDtsHCoLTSR1f2nFBNIZZZ83IA593CpUtF%2FpTiELbvwehcKO4i6URNrjEUHaaPA6VQNoPX4k9c1YNUO83d5Ho%2BiFr1RTpkkxzSdFEtZ1C2HeQB5eT4s6zEQ7m00medamKQtutZEwHlmyVhwIWHB3U7Jf2tHQv2iqB9Okqpso2fXCCn3s98Z1zfHJNfsXUftpWgsidYK%2FeCIHd0hWoC1ZlqRFmFyF2WyXTPm04Nk0Sq6uf7JgbbTVUh8%2BKzyb7wxyLUgRR9EDcSv5dvltxbMo4fV5iPjX3W4dru%2B3u5Hg5K0w3%2F10yQYh88fw1QEW%2FLjEm73G6wNH4udAP94yvEli1Tl%2FPt5i3jN8TCAuH8Kq%2F%2F%2BHefx%2BWfVW%2Fvt71R8%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=m26OTtHdK1sWCurrywHJS%2Bokptdg71B84JOItrj5xObc3SVEvcGjLGCEUgfccmz2Dbq5sA%2FBClc%2B8B4kt9q9%2FZFHZ%2B2%2FD%2Bnw%2BMvyolzQ6HejxCYsgwf0geb%2ByLjg8znQ6bGOg2sTGxxAkokuxwebJOR6idewdZ2C27zTG2MlGXIvLATkFfh75SNWmBeYBOlKj4E%2FZMd3uyguNNGMfyzb36438beLCK1Lwg8bIbAsssz%2B553lW0MZrFlCZ8pwhmZFmYt8L4rPkkxP4t7hFvM36x8pKj6UoZkyWF6HwGxKyGCega9j2pGibT2LMxfSkSzdeuVFQyqRvbRAK9CtNxNRNA%3D%3D



But the correct URL should look like this:



https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=10854xxx-bxxx-4xxx-958b-2af773342f11&SAMLRequest=jVJNb9swDL3vVxi6%2BzNO4wqxg2xFsQLZGiTpDrsMskw76mLKEaWg7a%2Bf6jRYdyl2JMj3%2BPge54un%2FhCcwJDSWLI0SlgAKHWjsCvZw%2B42LNii%2BjQn0R%2BygS%2Bd3eMGjg7IBksiMNbjvmgk14PZgjkpCQ%2BbVcn21g7E4%2FgR8LdCCqWKSDtsHCoLTSR1f2nFBNIZZZ83IA593CpUtF%2FpTiELbvwehcKO4i6URNrjEUHaaPA6VQNoPX4k9c1YNUO83d5Ho%2BiFr1RTpkkxzSdFEtZ1C2HeQB5eT4s6zEQ7m00medamKQtutZEwHlmyVhwIWHB3U7Jf2tHQv2iqB9Okqpso2fXCCn3s98Z1zfHJNfsXUftpWgsidYK%2FeCIHd0hWoC1ZlqRFmFyF2WyXTPm04Nk0Sq6uf7JgbbTVUh8%2BKzyb7wxyLUgRR9EDcSv5dvltxbMo4fV5iPjX3W4dru%2B3u5Hg5K0w3%2F10yQYh88fw1QEW%2FLjEm73G6wNH4udAP94yvEli1Tl%2FPt5i3jN8TCAuH8Kq%2F%2F%2BHefx%2BWfVW%2Fvt71R8%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=m26OTtHdK1sWCurrywHJS%2Bokptdg71B84JOItrj5xObc3SVEvcGjLGCEUgfccmz2Dbq5sA%2FBClc%2B8B4kt9q9%2FZFHZ%2B2%2FD%2Bnw%2BMvyolzQ6HejxCYsgwf0geb%2ByLjg8znQ6bGOg2sTGxxAkokuxwebJOR6idewdZ2C27zTG2MlGXIvLATkFfh75SNWmBeYBOlKj4E%2FZMd3uyguNNGMfyzb36438beLCK1Lwg8bIbAsssz%2B553lW0MZrFlCZ8pwhmZFmYt8L4rPkkxP4t7hFvM36x8pKj6UoZkyWF6HwGxKyGCega9j2pGibT2LMxfSkSzdeuVFQyqRvbRAK9CtNxNRNA%3D%3D



When putting the correct URL into the browser containing the IDPID, then the login succeeds. Second, login succeeds from the IDP side to SP side as well.



 
environment 
Jenkins 2.121.1<br/>
SAML Plugin 1.0.7
1 attachment

Metadata

Metadata

Assignees

No one assigned

    Labels

    component:saml-pluginimported-jira-issuepriority:majorresolution:unresolved

    Type

    Bug

    Fields

    No fields configured for Bug.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions