Enable SSO on Jenkins
What is Jenkins?
- Jenkins is an open-source solution comprising an automation server to enable continuous integration and continuous delivery (CI/CD), automating the various stages of software development such as build, test, and deployment.
Download Jenkins: https://www.jenkins.io/download/
What is SSO authentication ?
- Single sign-on (SSO) is a technology which combines several different application login screens into one. With SSO, a user only has to enter their login credentials (username, password, etc.) one time on a single page to access all of their SaaS applications.
How does an SSO login work?
- Whenever a user signs in to an SSO service, the service creates an authentication token that remembers that the user is verified.
- An authentication token is a piece of digital information stored either in the user’s browser or within the SSO service’s servers, like a temporary ID card issued to the user.
- Any app the user accesses will check with the SSO service. The SSO service passes the user’s authentication token to the app and the user is allowed in.
- If, however, the user has not yet signed in, they will be prompted to do so through the SSO service.
How to enable SSO on Jenkins using azure active directory?
Setup on Azure:
Follow the steps to create app registration on azure as below:
- Open Microsoft Entra ID, click App registrations
- Click New registration
- Add a new Reply URL in authentication section https://{your_jenkins_host}/securityRealm/finishLogin.
- Make sure “Jenkins URL” (Manage Jenkins => Configure System) is set to the same value as https://{your_jenkins_host}.
- Click Certificates & secrets, under Client secrets click New client secret to generate a new key, copy the value, it will be used as Client Secret in Jenkins.
- Click Authentication, under ‘Implicit grant and hybrid flows’, enable ID tokens.
Add default permission on azure application:
- Click API permissions
- Add a permission
- Microsoft Graph
- Application permissions
- Add ‘User.Read.All’, ‘Group.Read.All’ and ‘People.Read.All’
Click Grant admin consent. - If you are not an admin in your tenant, please contact an admin to grant the permissions.
Setup In Jenkins:
Click Manage Jenkins in the left menu, then click Configure Global Security option
Authentication:
- Select security realm as “Azure Active Directory”
- Check Azure Active Directory and fill in the credential.
- Click Verify Application to make sure your input is valid.
- Save the configuration, (logged-in users will have permission to do anything)
- Log in with Microsoft Entra ID
- Return to ‘Security’ to configure authorization
Note: if you haven’t setup Graph API permissions, verify application will fail, skip over this step
Authorization:
- Click Azure Active Directory Matrix-based security
- Search for user in ‘Azure User/group to add’ and click Add
- Select the permission(s) in the table
- Click ‘Apply’
You can still use other authorization strategies such as:
- Matrix Authorization Strategy
- Folder-based Authorization Strategy
- Role-based Authorization Strategy
How to fix issues if you face any:
- Able to login but getting access denied issue as below:
Fix:
- Please verify permission that you have setup on azure as well as on Jenkins GUI
- Try to downgrade/upgrade azure-ad plugin, refer this: https://github.com/jenkinsci/azure-ad-plugin/issues/190
- Able to login but not able to add permissions specific to users/group in jenkins under authorization option
Fix: Make sure you added correct privilege's as below:
- Group.Read.All
- People.Read.All
- User.Read.All
Document to read more about each permission(https://learn.microsoft.com/en-us/graph/permissions-reference)
Jenkins community to raise questions: https://community.jenkins.io/
Thanks for your time!!!!