Jenkins SAML ADFS and local users.

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Jenkins SAML ADFS and local users.

Phillip Bailey
Everyone,

I have recently installed Jenkins SAML plug-in to log into Jenkins using
ADFS. We can successfully login with our ADFS users and have our
permissions managed using Project Matrix. However, we do use a local
service admin to perform administrative tasks such updates hitting the
cli endpoint as: http://localhost:8080/cli

Whenever we trigger a rest/cli action via curl -vL --user admin:
PASSWORD_REDACTED http://localhost:8080/cli

We get

<title>Error 401 Invalid password/token for user: admin</title>
</head>
<body><h2>HTTP ERROR 401 Invalid password/token for user: admin</h2>
<table>

I clearly understand that this is the result of SAML plugin overriding
the auth in favour of SAML discarding the use of local service users.
From my research over the net, I'm  not the first experiencing this
issue. I'm aware of
https://github.com/wenjunxiao/mixing-security-realm-plugin  but this is
not an official and vetted Jenkins plugin and therefore is out of the table.

From further reading trough the web...

Active Directory has a fallback user to be used as local admin
https://plugins.jenkins.io/active-directory/
Fall-back user

Since the version 2.5 of the AD plugin, you can define a user to fall
back in case there is a communication issue between Jenkins and the AD
server. On this way, this admin user can be used to continue
administering Jenkins in case of communication issues, where usually you
were following the link Disable security. The password of this user is
automatically synced with the Jenkins Internal Database by this feature.
In order to configure this new feature you should enable Use Jenkins
Internal Database in the AD configuration under Manage Jenkins →
Configure Global Security and specify a SINGLE user by its username.

Are any future plans to have the same capability with SAML/ADFS plugin
or anything else down the line planned in Jenkins Core to overcome this
scenario?

Phillip

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/f4b85604-9d56-ad75-8559-59bb979a1053%40bailey.st.
Reply | Threaded
Open this post in threaded view
|

Re: Jenkins SAML ADFS and local users.

Ivan Fernandez Calvo

Are any future plans to have the same capability with SAML/ADFS plugin
or anything else down the line planned in Jenkins Core to overcome this
scenario?

No, I do not have plans to add any kind of fallback user to the SAML plugin, this, in my opinion, is to add a non-related SAML logics to manage API users. You can workaround it with a real user in the SAML IdP and an API Token, In case that these fallback users make any sense, T¡this feature should be implemented in a plugin for those kind os users, in that way is something you can combine with any Authentication plugin, and we do not have to reinvent the wheel on each authentication plugin. Unfortunately, Jenkins does not support more than one Security Realm active at the same time. Another option can be to extend the API token feature to support local users but this is part of the core IIRC.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/3c650e5f-1f6c-4801-93ba-ce6ebf4af54eo%40googlegroups.com.