Okta unable to access jenkins server - jenkins

I integrated jenkins with Okta using SAML2.0 plugin.
Issue: When i click on jenkins app in the OKTA url it is redirecting request to https://jenkins.xxxx.com/samlLogout/ and displaying message "You are now logged out of Jenkins, however this has not logged you out of SAML".
I want to login to jenkins using OKTA Credentials but okta redirecting request to logout url and displaying the above message.
Please lemme know how can redirect request to jenkins home page(where my jobs are located)

You should first check jenkins.log. I had the same issue with Jenkins version 2.235.3 and saml plugin 1.1.6 . I was seeing below error in the logs.
SAMLException: Authentication issue instant is too old or in the future
As per https://support.cloudbees.com/hc/en-us/articles/115000087231-SAML-Authentication-issue-instant-is-too-old-or-in-the-future
Sync servers by Installing NTPD
a. Install NTPD in each of the machines is running services to integrate: IdP Provider as well as Jenkins in this case.
b. If you install the NTP service after IdP Provider/Jenkins has already been installed in your network, you should restart the IdP Provider/Jenkin service after NTP has been successfully installed.
Maximum authentication time
a. On the IdP side, decrease the time users are being retained to a value less than 24 days.
b. Delete browser cookies and login again.
Note: Deleting browser cookies may solve you problem temporary.

Just clearing the cookies did the job

Related

Jenkins "Invalid Username and Password" PAM Authentication

I am running Jenkins 2.164 in RHEL with Centrify as AD connector. I have configured Jenkins security to use PAM. The PAM security configuration test is Success and Matrix Security is also able to validate users and group via PAM. When restarting Jenkins and login, it doesn't seem to be able to authenticate via PAM and keeps getting "invalid username or password error". I am using Pam-Auth plugin version 1.5. The weird part is when I am using an older version of Jenkins 2.89, it works. Also, the new Jenkins has changed the login form to a SimpleLogin and I suspect that causes incompatibility with my Centrify.
I have checked the /var/log/messages file and I keep receiving the following error. This has never happened before in the older version. I am not sure why the older version of Jenkins works but not the current version I'm using.
I've tried to swap to an older version of libpam4j-1.8 before pam_setcred was being introduced in 1.11 version, but still fail.
Any help would be greatly appreciated.
Apr 24 23:45:26 adclient[35963]: INFO AUDIT_TRAIL|Centrify Suite|PAM|1.0|201|PAM set credentials
denied|5|user=test(type:ad,test#testdomain.com) pid=180 utc=1556163926715 centrifyEventID=24201 status=DENIED service=sshd tty=(none) client=(none) reason=Failed to set user credentials

Access Pivotal SSO tile in local development

Our OPS team have configured a SSO tile that connects to ADFS. I am building a sample application that utilize an SSO service instance. I can deploy my application to PCF and remote debug my SSO configuration. These things work.
What I need is a way to access the SSO service instance while I am developing on my PC. Otherwise only way to verify my code really works is to deploy my application to PCF and either add log statements or configure remote debugging. Both of these are pretty time consuming.
I looked into configuring ssh access to pivotal services. That works for database service instances, but not for SSO service instance. Has anyone figured it out?
After repeated trials and error, I found the solution. Posting it here in case someone else has similar issue
In PCF, for your SSO add a new application. Auth redirect url for this application should point to your localhost. In my case it is http://localhost:8080
run cf env . Copy the p-identity section only and save to vcap_services.json. Then update the clientId and clientSecret with the values from the new application created in previous step.
Use the following command to start your application
VCAP_APPLICATION=true VCAP_SERVICES=$(cat vcap_services.json) SPRING_PROFILES_ACTIVE=... ./gradlew bootRun

How to resolve the issue in Jenkins

I am working on Jenkins by following below link and I am new to working on Jenkins.
https://blogs.msdn.microsoft.com/visualstudioalm/2016/05/27/continuous-deploymentdelivery-with-jenkins-and-vs-team-services/
Here I am facing the issue when I am installing the Jenkins its redirect to localhost URL and displaying the web page is like below figure and I am downloading the Jenkins from the below link. after redirect that its shows the Jenkins login and here I am informing before that I am not set the any logging details at any where in the Jenkins.
https://jenkins.io/
On Linux, default "admin" user password is available in /var/lib/jenkins/secrets/initialAdminPassword file.
I am not 100% sure about windows, you can check if secrets\initialAdminPassword file is available in Jenkins install directory. If yes, then try to login with credentials mentioned in this file

oauth: Meteor authentication issue on own server

I'm working on an app the requires a log-in by using oauth mechanisms from LinkedIn, Twitter, Google.
On the common meteor server this authentication method works fine.
However, I recently deployed the meteor server on my own server, and I get an authentication error when I try to log in. I tried linkedin and twitter and receive the same error, so I guess something is wrong on my server.
The error is in a browser window:
The requested URL /_oauth/linkedin was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Apache/2.2.22 (Ubuntu) Server at exomodal.com Port 80
The meteor server is at port 3000.
Any ideas how to resolve this issue?
Thanks in advance
As far as I know, in Google, it asks for a redirect url and an origin url. During development, you registered these as localhost:3000/. But when you deploy, you are not using localhost anymore. Update these URLs in your "API console" (That's what they call it in Google) if any exists. As far as I know, Google and Facebook requires some sort of url registered.
Also, API configurations (client/consumer id and secret) are usually stored in the DB. Upon deploy, you don't usually ship your development DB, leaving behind the configurations which were on your development machine. What we did was to hard-code these into the server code, so that every time the server is restarted or redeployed to a "clean server", it inserts those configs to the DB.

Remote Access to Secured Jenkins Server

I have a Jenkins installation on a machine running Windows Server 2008. The Jenkins installation is secured using Jenkins own user database with matrix-based security authorization. Anonymous users don't have any access, except to register an account. I have set up an account and gave this account full access.
Now I'd like to trigger a build remotely from a different machine that hosts the repository. I believe this should be possible by accessing the following URL:
https://[username]:[user_api_token]#[address.of.jenkins]:8080/job/[project]/build?token=[project_api_token]
However, this does not seem to be working for me. When I access this site in a browser, Jenkins forwards to the login-page, and does not start the build.
What am I doing wrong? It seems to be an authentication problem, as I'm not logged in after opening the URL above. Furthermore, if I give anonymous users full access, the URL works.
Try invoking the build from a command-line program like curl:
curl http://[userid]:[user_token]#localhost:8080/job/[project]/build?token=[proj_token]
or
curl --user [userid]:[user_token] http://localhost:8080/job/[project]/build?token=[proj_token]
I think your issue could be browser related, embedding credentials within the URL (Firefox pops up a warning in my case telling me I'm about to login to Jenkins)

Resources