SSO for Jenkins using HTTP headers
Enterprise Application Access (EAA) implements single sign-on (SSO) with Jenkins with use of custom headers functionality, which lets you configure the specific headers to insert and send to the origin application.
Prerequisite:
The Jenkins application uses the reverse-proxy-auth-plugin, which lets you delegate the authentication to the Enterprise Application Access Cloud to protect the Jenkins application. It also includes authorization, which is done via LDAP groups synchronized within the Enterprise Application Access platform.
The plugin requires these header attributes to perform SSO with Jenkins:
- Header User Name:
X-Forwarded-User
- Header Groups Name:
X-Forwarded-Groups
- Header Groups Delimiter:
,
SSO to any application lets users log in to one application and to be automatically signed in to every other application linked together, regardless of the platform, technology, and domain. There are different ways to achieve SSO implementation. Jenkins supports SSO using different plugins.
-
To configure and install the reverse proxy auth plugin Jenkins log in to your Jenkins account. If you do not have an account, go to https://jenkins.io/ to download the application and create an account.
-
In the Jenkins Administrative view, click Manage Jenkins.
-
In Manage Jenkins click Manage Plugins.
If your Jenkins application is updated with the latest version, you should see an Available tab with the list available plugins to download from the Jenkins repository. -
Search for Reverse Proxy Auth Plugin in the list and install the plugin. The Reverse Proxy Auth plugin can work with any reverse proxy in front of Jenkins and uses remote headers (
X-Forwarded-Users
andX-Forwarded-Groups
) for authorization and SSO. Enterprise Application Access can pass these headers using the Custom Headers functionality built into the Enterprise Application Access Cloud.
Once you enable the Reverse-Proxy plugin, all users need to get authenticated through the Enterprise Application Access platform using your LDAP credentials. They are no longer authenticated by the Jenkins application directly.
-
After you install the plugin, go to the Manage Jenkins page and click Configure Global Security.
-
Under Global Security, you may have selected LDAP for authentication. You can either choose Auth Plugin or directly access the app using LDAP. To make the SSO work, click HTTP Header by reverse proxy. The correct headers fill in. In the Header Groups Delimiter Name field replace the pipe (|) with a comma (,).
-
For rights authorization, you can select Logged-in users can do anything to let all the logged-in users perform any action, or select Matrix-based security and define the role-based controls to restrict specific groups or users for certain actions. For example, you can disallow them to view the administrative section.
-
Save the configuration in the Jenkins administrative console.
-
Log in to the Enterprise Center.
-
In the Enterprise Center navigation menu, select Application Access > Applications > Applications.
-
Select your Jenkins application to open it.
-
In Settings > Advanced > Custom HTTP headers enter the header configuration information required by the Jenkins application plugin. For example:
In Header Name typeX-Forwarded-Groups
and in Atribute select group. -
Click Save and Deploy.
Updated over 2 years ago