Configure single sign-on (SSO) for Jenkins using HTTP headers
Enterprise Application Access (EAA) implements single sign-on (SSO) with Jenkins using custom headers functionality, which lets you configure the specific headers to insert and send to the origin application.
The Jenkins application uses the reverse-proxy-auth-plugin, which lets you delegate the authentication to the EAA cloud to protect the Jenkins application. It also includes authorization, which is done via LDAP groups synchronized within the Enterprise Application Access platform.
Before you begin
The plugin requires these header attributes to perform SSO with Jenkins:
- Header User Name:
- Header Groups Name:
- Header Groups Delimiter: "
SSO to any application lets users log in to one application so they will be automatically signed in to every other application linked together, regardless of the platform, technology, and domain. There are different ways to achieve SSO implementation. Jenkins supports SSO using different plugins.
Configure and install the
reverse proxy auth plugin Jenkins.
- Log in to your Jenkins account. If you do not have an account, go to https://jenkins.io/ to download the application and create an account.
In the Jenkins Administrative view, click Manage
On the Manage Jenkins menu, click Manage
- If your Jenkins application is updated with the latest version, you should see an Available tab with the list available plugins to download from the Jenkins repository.
Search for Reverse Proxy Auth Plugin in the list and install the
plugin. The Reverse Proxy Auth plugin can work with any reverse proxy in
front of Jenkins and uses remote headers
X-Forwarded-Groups) for authorization and SSO. EAA can pass these headers using the Custom Headers functionality built into the EAA cloud.Note: Once you enable the Reverse-Proxy plugin, all users need to get authenticated through the EAA platform using your LDAP credentials. They will no longer be authenticated by the Jenkins application directly.
After installing the plugin, go to the Manage Jenkins page and click
Configure Global Security.
Under Global Security, you may have selected
LDAP for authentication. You can either
choose Auth Plugin or directly access the app
using LDAP. To make the SSO work, click HTTP Header by
reverse proxy. This pre-populates the correct headers.
In the Header Groups Delimiter Name field replace
the pipe (|) with a comma (,).
For rights authorization, you can select Logged-in users can
do anything to let all the logged-in users perform any
action, or select Matrix-based security and
define the role-based controls to restrict specific groups or users for
certain actions. For example, you can disallow them to view the
- Save the configuration in the Jenkins administrative console.
Log in to the EAA Management Portal.
- From the top menu bar, click Applications. The applications cards appear.
- Click the application card for the Jenkins application you want to configure.
- Click .
Scroll down to the Custom HTTP headers section and enter the header
configuration information required by the Jenkins application plugin.
- Click Save and go to Deployment.