SSO: Azure AD & Jenkins

Lately i have configured a lot of Single Sign On (SSO) connections between various applications and Azure Active Directory. Azure Active Directory supports the most common applications out of the box. For these type of applications, the federation is preconfigured and it just requires some tenant specific entries to get things working. The steps to configure this are well documented at this location.

Some applications require some more advanced steps to enable a federation. In this post I will guide you through the setup of  a federation for the Jenkins application.

Prerequisites

The setup of the Jenkins Single Sign On configuration requires the following components in the Jenkins and Azure AD configuration:

 Azure AD configuration

First we start with the setup of an Azure AD application context. Setup the Azure AD configuration using the steps described in this post. Use the following URL as the Identifier and Reply URL.

https://[jenkinswebsiteaddress]/securityRealm/finishLogin

 

Next open the App registration and open the manifest.

aad3

In the manifest make sure the groupMembershipClaims property is set to SecurityGroup:

aad4

 

This makes sure the group ID of the different groups (which the user is a member of) are send as claim in the token to the application.

 

Now go back to the main panel and click on the Enterprise Applications tab. Now look for the Jenkins application and open the properties of this application. Make sure to set the “User assignment required” to yes:

aad5

The final step for the the application context configuration is to assign the groups to the application. Open the tab Users and Groups and assign the groups you have created.

aad6

Jenkins configuration

Now open your Jenkins admin console and use the following steps to configure the federation.

Click on Manage Jenkins:

jenkins1

Open the menu Configure Global Security:

jenkins2

Select the SAML 2.0 option and fill in the following information:

IdP Metadata: Copy the information from the Federation Metadata file generated in a earlier step.
Displayname: The default value.
Group attribute: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
Username attribute: This is identical to the Display Name attribute.

jenkins3

Next scroll down the page and select the Role-Based Strategy option:

jenkins4

Save the configuration by clicking on Save.

Now go back to the Manage Jenkins panel and select the menu Manage and Assign Roles:

jenkins5

Open the menu Manage Roles:

jenkins6

Add a new role according to your needs. In this guide the role jenkins-users is used. Configure the permissions to your needs and make sure the admin remains as it is:

jenkins7

Now go back to the Manage and Assign Roles menu and select Assign Roles:

jenkins8

Now add the Azure AD group guids and assign the correct role. In this example we assign multiple groups to the role jenkins-users:

jenkins9

Please make sure to assign the admin role to a user or group to keep access to the administrative panel.

Now remove the anonymous roles:

jenkins10

You have now successfully configured the Single Sign On setup between Jenkins and Azure AD. When you access the Jenkins application you should get redirected to Azure AD. After a successful login you will have access to application with the correct permissions set based on your group membership.