Summary
Jenkins suddenly started throwing HTTP 403: Unexpected request origin (check your reverse proxy settings) during SAML authentication via Ping Identity. The failure occurs at the /securityRealm/finishLogin endpoint.
Note: Issue occurs with both the default SAML plugin and miniOrange SAML (free) to allow local+SAML troubleshooting.
Environment
-
Jenkins Version:
2.516.3-jdk21 -
Deployment: Kubernetes (Helm) with ArgoCD
-
Access: External NGINX Ingress (not via Helm chart)
-
IdP: Ping Identity (Ping reports no changes)
-
Started: A few days ago; previously working
Plugins tested
-
Default SAML plugin → same 403
-
miniOrange SAML (free) → same 403
Changes tried (no effect)
-
CSRF flags:
-Dhudson.security.csrf.DefaultCrumbIssuer.EXCLUDE_SESSION_ID=true -Dhudson.security.csrf.requestfield=Jenkins-Crumb -Dhudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION=true -
Ingress annotations (excerpt):
nginx.ingress.kubernetes.io/proxy-body-size: "50m" nginx.ingress.kubernetes.io/proxy-buffer-size: "16k" nginx.ingress.kubernetes.io/use-forwarded-headers: "true" nginx.ingress.kubernetes.io/proxy-set-headers: jenkins-proxy-headers nginx.ingress.kubernetes.io/force-ssl-redirect: "true" -
Added
X-Forwarded-*headers via proxy config -
Jenkins URL: explicitly set
jenkinsUrlandjenkinsUrlProtocolin values.yaml
Questions
-
Why would SAML auth suddenly fail with 403 without changes on our side or Ping’s side?
-
Why do both SAML plugins fail identically—does this indicate a proxy/headers issue?
-
What exact NGINX ingress headers/annotations are required for SAML callbacks to be accepted?
-
What diagnostics help determine why
/securityRealm/finishLoginrejects the Ping callback?
Context
Both plugins failing suggests an infrastructure / reverse-proxy header or origin validation issue.
Any help would be greatly appreciated!