Configure single sign-on (SSO) for Jenkins using HTTP headers

Enterprise Application Access (EAA) implements single sign-on (SSO) with Jenkins using custom headers functionality, which lets you configure the specific headers to insert and send to the origin application.

Before you begin

The Jenkins application uses the reverse-proxy-auth-plugin, which lets you delegate the authentication to the EAA cloud to protect the Jenkins application. It also includes authorization, which is done via LDAP groups synchronized within the Enterprise Application Access platform.
The plugin requires these header attributes to perform SSO with Jenkins:
  • Header User Name: X-Forwarded-User
  • Header Groups Name: X-Forwarded-Groups
  • Header Groups Delimiter: ","

SSO to any application lets users log in to one application so they will be automatically signed in to every other application linked together, regardless of the platform, technology, and domain. There are different ways to achieve SSO implementation. Jenkins supports SSO using different plugins.

How to

  1. Configure and install the reverse proxy auth plugin Jenkins.
    1. Log in to your Jenkins account. If you do not have an account, go to to download the application and create an account.
    2. In the Jenkins Administrative view, click Manage Jenkins.
      Jenkins Admin menu

    3. On the Manage Jenkins menu, click Manage Plugins.
      Manage Jenkins menu

    4. If your Jenkins application is updated with the latest version, you should see an Available tab with the list available plugins to download from the Jenkins repository.
    5. Search for Reverse Proxy Auth Plugin in the list and install the plugin. The Reverse Proxy Auth plugin can work with any reverse proxy in front of Jenkins and uses remote headers (X-Forwarded-Users and X-Forwarded-Groups) for authorization and SSO. EAA can pass these headers using the Custom Headers functionality built into the EAA cloud.
      Jenkins Reverse Proxy Auth Plugin

      Note: Once you enable the Reverse-Proxy plugin, all users need to get authenticated through the EAA platform using your LDAP credentials. They will no longer be authenticated by the Jenkins application directly.
    6. After installing the plugin, go to the Manage Jenkins page and click Configure Global Security.
      Manage Jenkins Configure Global Security option

    7. Under Global Security, you may have selected LDAP for authentication. You can either choose Auth Plugin or directly access the app using LDAP. To make the SSO work, click HTTP Header by reverse proxy. This pre-populates the correct headers. In the Header Groups Delimiter Name field replace the pipe (|) with a comma (,).
      Header fields

    8. For rights authorization, you can select Logged-in users can do anything to let all the logged-in users perform any action, or select Matrix-based security and define the role-based controls to restrict specific groups or users for certain actions. For example, you can disallow them to view the administrative section.
      Rights authorization options

    9. Save the configuration in the Jenkins administrative console.
  2. Log in to the EAA Management Portal.
    1. From the top menu bar, click Applications. The applications cards appear.
    2. Click the application card for the Jenkins application you want to configure.
    3. Click Settings > Advanced Settings.
    4. Scroll down to the Custom HTTP headers section and enter the header configuration information required by the Jenkins application plugin. For example:
      EAA Custom HTTP headers fields

    5. Click Save and go to Deployment.