Configure single sign-on (SSO) for Jenkins using HTTP headers
Enterprise Application Access (EAA) implements single sign-on (SSO) with Jenkins using custom
headers functionality, which lets you configure the specific headers to insert and send to
the origin application.
Before you begin
The Jenkins application uses the reverse-proxy-auth-plugin, which lets you
delegate the authentication to the EAA cloud to protect the Jenkins application. It also
includes authorization, which is done via LDAP groups synchronized within the Enterprise
Application Access platform.
The plugin requires these header attributes to perform
SSO with Jenkins:
Header User Name: X-Forwarded-User
Header Groups Name: X-Forwarded-Groups
Header Groups Delimiter: ","
SSO to any application lets users log in to
one application so they will be automatically signed in to every other application
linked together, regardless of the platform, technology, and domain. There are different
ways to achieve SSO implementation. Jenkins supports SSO using different plugins.
How to
Configure and install the
reverse proxy auth plugin Jenkins.
Log in to your Jenkins account. If you do not have an account, go to
https://jenkins.io/ to download the application and create
an account.
In the Jenkins Administrative view, click Manage
Jenkins.
Jenkins Admin menu
On the Manage Jenkins menu, click Manage
Plugins.
Manage Jenkins menu
If your Jenkins application is updated with the latest version, you
should see an Available tab with the list
available plugins to download from the Jenkins repository.
Search for Reverse Proxy Auth Plugin in the list and install the
plugin. The Reverse Proxy Auth plugin can work with any reverse proxy in
front of Jenkins and uses remote headers
(X-Forwarded-Users and
X-Forwarded-Groups) for authorization and SSO. EAA
can pass these headers using the Custom Headers functionality built into
the EAA cloud.
Jenkins Reverse Proxy Auth Plugin
Note: Once you enable the Reverse-Proxy plugin, all users need to get
authenticated through the EAA platform using your LDAP credentials.
They will no longer be authenticated by the Jenkins application
directly.
After installing the plugin, go to the Manage Jenkins page and click
Configure Global Security.
Manage Jenkins Configure Global Security option
Under Global Security, you may have selected
LDAP for authentication. You can either
choose Auth Plugin or directly access the app
using LDAP. To make the SSO work, click HTTP Header by
reverse proxy. This pre-populates the correct headers.
In the Header Groups Delimiter Name field replace
the pipe (|) with a comma (,).
Header fields
For rights authorization, you can select Logged-in users can
do anything to let all the logged-in users perform any
action, or select Matrix-based security and
define the role-based controls to restrict specific groups or users for
certain actions. For example, you can disallow them to view the
administrative section.
Rights authorization options
Save the configuration in the Jenkins administrative console.
Log in to the EAA Management Portal.
From the top menu bar, click Applications. The
applications cards appear.
Click the application card for the Jenkins application you want to
configure.
Click Settings > Advanced Settings.
Scroll down to the Custom HTTP headers section and enter the header
configuration information required by the Jenkins application plugin.
For example: