Hello, I am trying to make jenkins + saml plugin + keycloak working together and I am facing a issue.
I have gnerate the IDP metadata and once I am trying to login : http://jenkins.example.com/securityRealm/finishLogin, I am redirected to the keycloak login page. When I am trying to login with my googel credentials, I have this error : *javax.servlet.ServletException: org.pac4j.saml.exceptions.SamlException: Error decoding saml message at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:796) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876) at org.kohsuke.stapler.MetaClass$3.doDispatch(MetaClass.java:197) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)* *.......* *Caused by: org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.doEvaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:138) at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.evaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:107) at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:50) at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:131) at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:82) at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70)* After some googling, I found this website : http://samaratips.blogspot.ca/2016/10/sso-using-saml.html which said : Add IDP public key for signing messages to java key store. It can be found in incoming saml message from IDP. My questions are : - Is there somebody who have succeed to make jenkins/saml plugin + keycloak work together ? - How can I add the IDP public key to my keystore and how to configure jenkins to decode saml message with the key in the keystore ? Any help/hints will be appriacated. Regards. James -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/26c0f090-5fe5-420d-b701-5ed1792c41e0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
