Lately i have configured a lot of Single Sign On (SSO) connections between various applications and Azure Active Directory. Azure Active Directory supports the most common applications out of the box. For these type of applications, the federation is preconfigured and it just requires some tenant specific entries to get things working. The steps to configure this are well documented at this location.
Some applications require some more advanced steps to enable a federation. In this post I will guide you through the setup of a federation for the Jenkins application.
The setup of the Jenkins Single Sign On configuration requires the following components in the Jenkins and Azure AD configuration:
- Role-Based Access Control Plugin -> https://go.cloudbees.com/docs/cloudbees-documentation/cje-user-guide/index.html#rbac
- SAML Plugin -> https://wiki.jenkins.io/display/JENKINS/SAML+Plugin
- Azure AD groups
- Azure AD test user which is a member of one the groups.
Azure AD configuration
First we start with the setup of an Azure AD application context. Setup the Azure AD configuration using the steps described in this post. Use the following URL as the Identifier and Reply URL.
Next open the App registration and open the manifest.
In the manifest make sure the groupMembershipClaims property is set to SecurityGroup:
This makes sure the group ID of the different groups (which the user is a member of) are send as claim in the token to the application.
Now go back to the main panel and click on the Enterprise Applications tab. Now look for the Jenkins application and open the properties of this application. Make sure to set the “User assignment required” to yes:
The final step for the the application context configuration is to assign the groups to the application. Open the tab Users and Groups and assign the groups you have created.
Now open your Jenkins admin console and use the following steps to configure the federation.
Click on Manage Jenkins:
Open the menu Configure Global Security:
Select the SAML 2.0 option and fill in the following information:
IdP Metadata: Copy the information from the Federation Metadata file generated in a earlier step.
Displayname: The default value.
Group attribute: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
Username attribute: This is identical to the Display Name attribute.
Next scroll down the page and select the Role-Based Strategy option:
Save the configuration by clicking on Save.
Now go back to the Manage Jenkins panel and select the menu Manage and Assign Roles:
Open the menu Manage Roles:
Add a new role according to your needs. In this guide the role jenkins-users is used. Configure the permissions to your needs and make sure the admin remains as it is:
Now go back to the Manage and Assign Roles menu and select Assign Roles:
Now add the Azure AD group guids and assign the correct role. In this example we assign multiple groups to the role jenkins-users:
Please make sure to assign the admin role to a user or group to keep access to the administrative panel.
Now remove the anonymous roles:
You have now successfully configured the Single Sign On setup between Jenkins and Azure AD. When you access the Jenkins application you should get redirected to Azure AD. After a successful login you will have access to application with the correct permissions set based on your group membership.