OKTA Integration with Jenkins

I integrated jenkins with Okta using SAML2.0 plugin

Issue: When i click on jenkins app in the OKTA url it is redirecting request to https://jenkins.xxxx.com/samlLogout/ and displaying message “You are now logged out of Jenkins, however this has not logged you out of SAML”.

I want to login to jenkins using OKTA Credentials but okta redirecting request to logout url and displaying the above message.

Please letme know how can redirect request to jenkins home page

sounds like you have the logout url as login url in your jenkins config.
I would recommend looking at your config.xml (assuming you can’t login) and seeing if something is misconfigured.

1 Like

I am sharing the config file please check if anything is missed or need to add.

<?xml version='1.1' encoding='UTF-8'?>
<hudson>
  <disabledAdministrativeMonitors>
    <string>OldData</string>
    <string>jenkins.security.QueueItemAuthenticatorMonitor</string>
    <string>jenkins.diagnostics.ControllerExecutorsAgents</string>
    <string>hudson.diagnosis.ReverseProxySetupMonitor</string>
  </disabledAdministrativeMonitors>
  <version>2.332.3</version>
  <numExecutors>2</numExecutors>
  <mode>NORMAL</mode>
  <useSecurity>true</useSecurity>
  <authorizationStrategy class="hudson.security.AuthorizationStrategy$Unsecured"/>
  <securityRealm class="org.jenkinsci.plugins.saml.SamlSecurityRealm" plugin="saml@2.333.vc81e525974a_c">
    <displayNameAttributeName>XXXXXXXX</displayNameAttributeName>
    <groupsAttributeName>XXXXXXX</groupsAttributeName>
    <maximumAuthenticationLifetime>86400</maximumAuthenticationLifetime>
    <emailAttributeName>XXXXX</emailAttributeName>
    <usernameCaseConversion>none</usernameCaseConversion>
    <usernameAttributeName>XXXXX</usernameAttributeName>
    <binding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</binding>
    <advancedConfiguration>
      <forceAuthn>false</forceAuthn>
      <spEntityId>https://XXXXXXjenkins.xxxxxxxxxxx.com</spEntityId>
    </advancedConfiguration>
    <idpMetadataConfiguration>
      <xml></xml>
      <url>https://octa.XXXXXX.com/app/XXXXXXXXXX/sso/saml/metadata</url>
      <period>0</period>
    </idpMetadataConfiguration>
  </securityRealm>
  <disableRememberMe>false</disableRememberMe>
  <projectNamingStrategy class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/>
  <workspaceDir>${JENKINS_HOME}/workspace/${ITEM_FULL_NAME}</workspaceDir>
  <buildsDir>${ITEM_ROOTDIR}/builds</buildsDir>
  <markupFormatter class="hudson.markup.EscapedMarkupFormatter"/>
  <jdks/>
  <viewsTabBar class="hudson.views.DefaultViewsTabBar"/>
  <myViewsTabBar class="hudson.views.DefaultMyViewsTabBar"/>
  <clouds/>
  <quietPeriod>5</quietPeriod>
  <scmCheckoutRetryCount>0</scmCheckoutRetryCount>
  <views>
    <hudson.model.AllView>
      <owner class="hudson" reference="../../.."/>
      <name>all</name>
      <filterExecutors>false</filterExecutors>
      <filterQueue>false</filterQueue>
      <properties class="hudson.model.View$PropertyList"/>
    </hudson.model.AllView>
  </views>
  <primaryView>all</primaryView>
  <slaveAgentPort>0</slaveAgentPort>
  <label></label>
  <crumbIssuer class="hudson.security.csrf.DefaultCrumbIssuer">
    <excludeClientIPFromCrumb>false</excludeClientIPFromCrumb>
  </crumbIssuer>
  <nodeProperties/>
  <globalNodeProperties/>
  <nodeRenameMigrationNeeded>false</nodeRenameMigrationNeeded>
</hudson>

Were you able to resolve this, Harini? We’re facing the exact same issue with Okta and Jenkins. Sadly there isn’t much info about this online that I’ve been able to find.

have you reached out to okta at all? you would be paying them, and they probably have a lot more saml experience than random open source users.