Hi, To configure Okta as SAML service you have to follow this documentation http://developer.okta.com/standards/SAML/setting_up_a_saml_application_in_okta, It seems like you did that and have the IdP up and running, you have to set these setting in order to make it works
*Single Sign on Url *: http://myhostaddress.com:8080/securityRealm/finishLogin *Use this for Recipient URL and Destination URL*: Checked *Audience URI (SP Entity ID)*: http://myhostaddress.com:8080/securityRealm/finishLogin *Name ID Fornat* : EmailAdress *Application username*: Okta username *Attribute Statements* - I did not specify any here *Group Attribute Statements*: Name=Group Nameformat=Basic Filtertype=regex Filter=.* Jenkins: *Security Realm*: SAML 2.0 *IdP Metadata* : Copied from Okta *Display Name Attribute*: The default of ( http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name) *Group Attribute*: Group *Username Attribute*: left blank reviewing you configuration you set Request Binding to HTTP POST, this kind of binding it is not yet suppported by SAML Plugin you have to use HTTP Redirect Binding El jueves, 20 de abril de 2017, 10:20:01 (UTC+2), st...@flugel.it escribió: > > I'm trying to configure okta with saml jenkins plugin > https://wiki.jenkins-ci.org/display/JENKINS/SAML+Plugin > But getting error Cannot find entity > https://www.okta.com/saml2/service-provider/spibofbfpairxsdsimgc or role > {urn:oasis:names:tc:SAML:2.0:metadata} > > there is my metadata > <?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor > xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID=" > https://www.okta.com/saml2/service-provider/spibofbfpairxsdsimgc";><md:SPSSODescriptor > > AuthnRequestsSigned="true" WantAssertionsSigned="true" > protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor > > use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig# > "><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAVuJmnDlMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG > > A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU > > MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi03ODQxMTkxHDAaBgkqhkiG9w0BCQEW > > DWluZm9Ab2t0YS5jb20wHhcNMTcwNDIwMDQyMzExWhcNMjcwNDIwMDQyNDExWjCBkjELMAkGA1UE > > BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV > > BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNzg0MTE5MRwwGgYJ > > KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA > > lfVL/XL9lEftDwzL8oSWGzJq8jAWFdZgRRP0ufz7BcNhIQsUXGKnl5cf29Q7FZ5/nqybu5Pg0M3V > > Y3tBgDk8L6wDvsujyCxsZLwmek8jgrAb2Kk3HZY5y0yHkQSKQ2ASUBmvvx10MpYF1hsrPaZ2ZXqk > > IbWbI/XmzCsdPnWxRcPZ3AtLl1b0dB5G+vJ3TG2hlcoSHH2+MV3Zv/wRSTskBhsrpDwpHtz5BC7l > > gsSvtcd4FC5lCspD1SarZ9jguXCPcUgi7JkKWSYZOHRFFLYraG21CQwlNdb6MgulCTNyfM17i9sq > > IXbfIrO8YdGi0YCAoFX04p0tHP0lJbcf6KbNiQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAONbGS > > R/E99tsSARjOJQC2RO03jeyamRrUnNZVqL4S9zw49s7P0n9HakJ4Vb8H0aiOvVqNPwrkXmMuwjP7 > > 9KCHbMDTGogo8CGxSl3bMJ3DNo+A/ecVaI4IgM6y4bCAst6f8EBopj39a7+r69HPU1fzqaPz2Cti > > CdZ07QiCt51B52eCU9TzdAdJLB1cCby3GfyAbszyTVS6ZFPoC814XF0K38u6pVz5Ab6dTQ5L1Jho > > iD4JTIJFN317io/0UsPwdLak325HjT7ufNxV+cR/zTedIvj8V6GEorfIYtGGUaq8M1xSqmwiJg0o > YUEZhwOmNNHrRoqSWXGjEDzJKgtP1Fzn</ds:X509Certificate></ds:X509Data></ds:KeyInfo><md:EncryptionMethod > > Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><md:EncryptionMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/><md:EncryptionMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><md:EncryptionMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/></md:KeyDescriptor><md:KeyDescriptor > > use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig# > "><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAVuJmnDlMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG > > A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU > > MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi03ODQxMTkxHDAaBgkqhkiG9w0BCQEW > > DWluZm9Ab2t0YS5jb20wHhcNMTcwNDIwMDQyMzExWhcNMjcwNDIwMDQyNDExWjCBkjELMAkGA1UE > > BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV > > BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNzg0MTE5MRwwGgYJ > > KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA > > lfVL/XL9lEftDwzL8oSWGzJq8jAWFdZgRRP0ufz7BcNhIQsUXGKnl5cf29Q7FZ5/nqybu5Pg0M3V > > Y3tBgDk8L6wDvsujyCxsZLwmek8jgrAb2Kk3HZY5y0yHkQSKQ2ASUBmvvx10MpYF1hsrPaZ2ZXqk > > IbWbI/XmzCsdPnWxRcPZ3AtLl1b0dB5G+vJ3TG2hlcoSHH2+MV3Zv/wRSTskBhsrpDwpHtz5BC7l > > gsSvtcd4FC5lCspD1SarZ9jguXCPcUgi7JkKWSYZOHRFFLYraG21CQwlNdb6MgulCTNyfM17i9sq > > IXbfIrO8YdGi0YCAoFX04p0tHP0lJbcf6KbNiQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAONbGS > > R/E99tsSARjOJQC2RO03jeyamRrUnNZVqL4S9zw49s7P0n9HakJ4Vb8H0aiOvVqNPwrkXmMuwjP7 > > 9KCHbMDTGogo8CGxSl3bMJ3DNo+A/ecVaI4IgM6y4bCAst6f8EBopj39a7+r69HPU1fzqaPz2Cti > > CdZ07QiCt51B52eCU9TzdAdJLB1cCby3GfyAbszyTVS6ZFPoC814XF0K38u6pVz5Ab6dTQ5L1Jho > > iD4JTIJFN317io/0UsPwdLak325HjT7ufNxV+cR/zTedIvj8V6GEorfIYtGGUaq8M1xSqmwiJg0o > YUEZhwOmNNHrRoqSWXGjEDzJKgtP1Fzn</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:AssertionConsumerService > > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" > https://dev-784119.oktapreview.com/sso/saml2/0oaa7zvi6k6kK4Rm00h7"; > index="0" isDefault="true"/><md:AttributeConsumingService > index="0"><md:RequestedAttribute FriendlyName="First Name" Name="firstName" > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > isRequired="true"/><md:RequestedAttribute FriendlyName="Last Name" > Name="lastName" > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > isRequired="true"/><md:RequestedAttribute FriendlyName="Email" Name="email" > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > isRequired="true"/><md:RequestedAttribute FriendlyName="Mobile Phone" > Name="mobilePhone" > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > isRequired="false"/></md:AttributeConsumingService></md:SPSSODescriptor><md:Organization><md:OrganizationName > > xmlns:xml="http://www.w3.org/XML/1998/namespace"; > xml:lang="en">dev-784119</md:OrganizationName><md:OrganizationDisplayName > xmlns:xml="http://www.w3.org/XML/1998/namespace"; > xml:lang="en">Flugel.it-dev-784119</md:OrganizationDisplayName><md:OrganizationURL > > xmlns:xml="http://www.w3.org/XML/1998/namespace"; xml:lang="en"> > https://flugel.it > </md:OrganizationURL></md:Organization></md:EntityDescriptor> > > in Okta: > SAML PROTOCOL SETTINGS > > IdP Issuer URI > https://ip:8080/securityRealm/finishLogin > > IdP Single Sign-On URL > https://ip:8080/securityRealm/finishLogin > > IdP Signature Certificate > Pub cer for SSL > > Request Binding > HTTP POST > > Request Signature > > Sign SAML Authentication Requests > Request Signature Algorithm > SHA-256 > > Response Signature Verification > Response or Assertion > > Response Signature Algorithm > SHA-256 > > Destination > https://ip:8080/securityRealm/finishLogin > Okta Assertion Consumer Service URL > > Trust-specific > > Organization (shared) > Max Clock Skew > 2 > Minutes > > Jenkins running from official docker image with options: > --httpPort=-1 --httpsPort=8080 > --httpsCertificate=/var/lib/jenkins/jenkins.crt > --httpsPrivateKey=/var/lib/jenkins/jenkins.key > > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/4dd9bce5-b18a-46f3-8dc0-da234f096a27%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
